Posted on July 25, 2017 at 12:23 PM
Even though it’s been six months since its discovery, the first Mac malware of the year is still causing a stir.
The so-called Fruitfly malware is a highly-invasive malware specifically made for Macs that had been active for years before it was detected. The person that controls it can remotely take complete control of the computer, from files and webcam to screen, mouse and keyboard.
Even with the malware being finally detected, not a lot is known about it yet.
Since Mac malware is a rare case, and this particular one could be of a national security importance, Patrick Wardle, who was once an NSA hacker and now turned chief security researcher at Synack, got to work.
Even though Apple released patches for combatting Fruitfly earlier in the year, new versions of the malware have emerged. The core of the malware is an obfuscated Perl script using the antiquated code, and the code includes some parts that suggest that the malware could be at least half a decade old or more.
Despite this, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly connects and communicates with a C&C server, where an attacker can remotely spy on and control an infected Mac.
But what the attacker does exactly and why aren’t really known.
Wardle said that the malware isn’t the most sophisticated one, but it does its job well. Even if Wardle wasn’t exactly sure what its job was at first.
In order to figure the malware, Wardle took a novel approach of creating his own C&C server to interact directly with a sample of the malware in his lab.
What Wardle found was that with the malware he was able to take complete control over the attacked Mac, keyboard and mouse included, as well as take screenshots of the display, turn on the webcam to his liking and even modify files. The malware can also run commands in the background, and even kill the malware’s process altogether — likely in an effort to avoid detection.
What Wardle found as the most interesting feature of the malware was the alert that the malware would send the attacker once the victim is active. Wardle suspects this was made so the attacker would go unnoticed. It was something that Wardle haven’t seen before.
He noticed that the malware was communicating out to primary servers that were offline, but some of the backup servers were still available. Using his Python-based C&C scripts, Wardle registered some domains and fired up his servers. That was the moment when his screen began to fill up with victims’ computers connecting to his servers, one after the other.
As found out in the early analysis, 90% of the victims of the malware were based in the US, but no connection could be found between them, just the general smattering of users, as Wardle told us. But the question that is still unanswered is where the malware came from as well as its purpose.
Wardle believes that due to the victims being targeted, the malware is unlikely to be a nation state attacker but rather a single hacker using the malware for perverse reasons. He wouldn’t say how many were affected by the malware but suggested it wasn’t widespread like other forms of malware.
He also wasn’t sure on the exact delivery method of the malware but suggested it could infect a computer through a malicious email attachment.
Wardle has since informed and is now working with law enforcement on the matter, handing over the list of victims and C&C servers.
In his spare time, Wardle also takes time to develop a free-to-download Mac tools that would protect the Mac from the attack of this sort, including Oversight, which notifies users when their microphone or webcam becomes active; essentially protecting against some of the features of this malware.
Wardle is set to talk about the malware in more detail at the Black Hat conference in Las Vegas on Wednesday.
Apple did not respond to a request for comment.