The mystery of the Fruitfly macOS malware has apparently been solved: a 28-year-old man from Ohio has been charged on Wednesday of allegedly creating and installing the malware on thousands of computers for more than 13 years!
He allegedly used the access provided by the malware to covertly watch, listen to, and obtain personal data from unknowing victims, as well as produce child pornography.
The malware was first discovered and analyzed by Malwarebytes researchers in January 2017, and it puzzled them.
It’s not that they found its capabilities that unusual. Fruitfly was able to take screenshots, access and use the computer’s webcam and microphone, download additional scripts and files from the C&C servers, simulate mouse clicks and key presses – and these are things that most backdoors can do.
What piqued their interest was the malware’s use of “truly antique system calls,” dating back to pre-OS X days, and of a version of the libjpeg library dating back to 1998. A comment in the code also made them believe that the malware predated the release of Yosemite (Mac OS X 10.10), released in October of 2014.
Finally, the C&C servers the malware contacted were also previously associated with some Windows executables that have been submitted to Virus Total in 2013.
All this pointed to the malware being old, and the researchers posited that it hadn’t been flagged by the AV industry until then because it was used in very limited, targeted attacks.
Half a year later, security researcher Patrick Wardle discovered another variant of the malware, and managed to register one of the backup C&C domains hardcoded in it.
This allowed him to discover the IP addresses of some 400 infected Macs that contacted the C&C server, as well as that the malware apparently wasn’t used to steal banking credentials or install ransomware.
He hypothesized that the attacker uses the malware for “perverse reasons.” He also shared his findings with US authorities.
Judging by the information provided in the indictement, Wardle was correct.
The man – Phillip R. Durachinsky – is alleged “to have watched and listened to victims without their knowledge or permission and intercepted oral communications taking place in the room where the infected computer was located. In some cases, the malware alerted Durachinsky if a user typed words associated with pornography.”
Apparently, he saved millions of images and often kept detailed notes of what he saw.
He is also believed to have used the malware to steal the personal data of victims – login credentials, tax records, medical records, photographs, banking records, Internet searches, and potentially embarrassing communications – and used the stolen login credentials to access and download information from third-party websites (i.e., from victims’ online accounts).
He’s been doing that since 2003 and all through to January 20, 2017.
Durachinsky was charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft.
“The fact that this guy was able to do this for over a decade is mind-blowing,” Wardle told ZDNet.
He also noted that, while people aren’t too worried about their machines being turned into spying devices by spies because “they have nothing to hide,” they must be conscious of the fact that “there are other, very perverse people out there who’re trying to accomplish the same goal.”