Fruitfly: Unusual Mac backdoor used for tightly targeted attacks?

Researchers have found and analyzed a Mac backdoor that is unusual in many ways.

The malware – detected as OSX.Backdoor.Quimitchin by Malwarebytes but dubbed Fruitfly by Apple – is believed to have been around for some years, but was never before flagged as a specific malware family.

Fruitfly

The analysis has shown that Fruitfly can take screenshots and can access and use the computer’s webcam. If commanded to do so, it can discover the screen size and mouse cursor position, change the mouse position, simulate mouse clicks and key presses – capabilities that can be used to remotely control and mess with the compromised computer.

It can also download additional scripts and files from the C&C servers. One of these is used to build a map of all the other devices on the local network and grabbing information about them (IPv6 and IPv4 addresses, name, port in use), and another one attempts to connect to these other devices.

What’s so unusual about the Fruitfly backdoor?

For one, it uses “truly antique system calls”, which date back to pre-OS X days. Secondly, it uses the libjpeg library dating back to 1998.

“Further, there is a comment in the code in [one of the files] that indicates that a change was made for Yosemite (Mac OS X 10.10), which was released in October of 2014. This suggests that the malware has been around at least some time prior to Yosemite’s release,” researcher Thomas Reed noted.

“However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”

Another interesting think about Fruitfly is that it contains some Linux shell commands. Malwarebytes researchers tried running it on a Linux machine – and it worked (only the Mach-O executable it contains didn’t).

“This suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample,” Reed explained.

Also interesting is that the C&C servers this piece on malware contacts have been used by some Windows executables that have been submitted to Virus Total in 2013.

It seems obvious that the Mac backdoor is/was rarely used, as it uses a persistence technique (a hidden file and a launch agent) that makes it easy to spot, and hasn’t been flagged before this.

“The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” says Reed.

This particular malware sample was discovered and sent in by an IT admin at a biomedical research center.

According to Reed, Apple is expected to release protection against it soon.