MacOS malware used to spy on home users in the US

A new variant of the macOS malware Fruitfly has been found by security researcher Patrick Wardle on some 400 machines of (mostly) home users located in the US.

macOS malware spy

Fruitfly: The first variant

The malware was first flagged earlier this year, and found to be able to take screenshots, turn on the target computer’s webcam, simulate mouse clicks and key presses, download additional scripts and files from the C&C servers, and grab information about and connect to other devices on the local network.

The fact that it uses system calls that date back to pre-OS X days and a version of the libjpeg library that dates back to 1998 seems to indicate that the malware has been around for many years. Or, it could be that the author chose to use them to avoid triggering modern behavioral detections.

The sample was found and provided by an IT admin at a biomedical research center, giving rise to the speculation that it could possibly be a piece of malware that is used seldom, to spy on high-value targets.

Ultimately, Malwarebytes detected the malware on just four Macs.

Fruitfly: The second variant

But, Wardle’s analysis of a second variant seems to point to a more sinister use of the malware and design by its author.

After discovering some backup domains hardcoded in it and ascertaining they were available, he registered one of them. In a matter of days, nearly 400 infected Macs connected to it, awaiting for instructions on what to do.

Wardle told Ars Technica that he shared the machines’ IP address and user name with the US authorities, and they will likely try to contact the users and inform them that their computers are compromised.

Setting up a custom C&C server also allowed him to discover more about the malware’s capabilities without having to reverse-engineer it.

He found out that this second variant has many of the spying capabilities of the first, but that there is no indication that the malware is used to install ransomware or collect online banking credentials.

When taking this fact into consideration along with the profile of the targets, it seems that the malware was not used by cyber crooks looking for a quick buck, or state-sponsored attackers. It’s more likely that the attacker is someone that has been using the malware for his or her own “perverse” goals.

But, as the malware’s C&C domains are currently unavailable, it seems that the attacker has “abandoned” it.

According to Wardle, this variant is currently detected by a small percentage of commercial AV solutions. Some of his own macOS security tools, though, would have detected some of the malware’s suspicious actions (e.g. Oversight would have detected the malware’s use of the Mac’s webcam).

Wardle is set to present his research on Fruitfly on Wednesday at the Black Hat conference in Las Vegas.

Don't miss