Mac-compatible ‘Fruitfly’ malware escapes detection for years
Fri 20 Jan 2017
A new type of malware has been discovered on the systems of biomedical research facilities, and appears to have been lurking undetected for years. The malware – written with dual commands to be effective both on Mac and Linux machines – provides the attacker with screen captures, webcam access, and information on the other computers in the local network.
Dubbed ‘Fruitfly’, it’s relatively unsophisticated in terms of functionality and delivery modes, using a hidden file and launch agent, making it easy to detect and to remove if a user is actively looking for it. Some suggest that the reason it went undetected for so long is due to the fact that it does not appear to have been subject to a wide release; instead, it was used in targeted attacks which minimized its exposure.
Fruitfly uses a hidden .perl script to communicate with two command and control (C&C) servers.
It consists of only two files, which use shell commands to access screen captures and uptime information from the infected system. The code uses both the Mac ‘screencapture’ command and the Linux ‘xwd’ command to get the screencaps. Additionally, the malware retrieves uptime data using both the Mac ‘uptime’ and the Linux ‘cat /proc/uptime’ command.
The malware appears to enable a remote user to perform rudimentary control tasks on the infected machine, including changing the mouse position and simulating clicks and key presses.
One of the indicators that Fruitfly has been lurking for some time is a comment in the code that a change was made for the Yosemite release of October 2014, indicating that the malware pre-dates Yosemite. Also, the system calls in the malware appear to be pre-OSX, and contain the extremely outdated libjpeg code, and open-source JPEG project that has not been updated since 1998.
The source of the malware infection has yet to be determined, however, Mac and Linux users are encouraged to scan their systems for the malware. Apple has released a fix that will be automatically downloaded to Mac machines in order to prevent future Fruitfly infections. Malwarebytes offers a free detection and elimination download as well, entitled OSX.Backdoor.Quimitchin.