Stealthy Fruitfly Mac Malware Undetected For Years Allowed Hackers Complete Control Of Infected Machines
For a long time, Apple's Mac line of computers were thought by some users to be immune to malware and viruses. Some of that was due to hackers and nefarious sorts aiming for the low hanging fruit of the much larger Windows user base. Things have changed with Macs growing in popularity over the years and there are many different viruses and malware out there that target Mac users today. MacRansom was one of the latest bits of malware aimed at Apple fans, and now, a malware called Fruitfly is ready to wreak havoc.
The malware has reportedly been making the rounds for years (perhaps a half decade), but has gone mostly undetected and even today only a few security products are able to detect Fruitfly. You might think since the malware has stayed hidden for many years that might indicate it is a mild threat, but that is far from the case. Security researchers say that Fruitfly is a "fully featured" backdoor that allows hackers to take full control of an infected Mac. That means when activated, the controller of the malware is able to control the infected Mac's webcam, screen, keyboard, and mouse in addition to accessing all files on the machine.
Fruitfly is said have the hallmarks of what could be a nation state attacker; let that sink in a bit. One of the researchers working on learning more about Fruitfly is Patrick Wardle, who was formerly a hacker for the NSA and is currently the chief security officer at Synack. Wardle says of Fruitfly, "It's not the most sophisticated Mac malware." In fact, Wardle says that at first glance he wasn't even sure what the malware did.
Wrote C&C server to analyze🍎-virus for @BlackHatEvents/@defcon talk. Took over a C&C addr & 100s 🤒💻 (90% in 🇺🇸): 'hi, task us'👮now involved😱 pic.twitter.com/DxS1y8KYZB
— patrick wardle (@patrickwardle) July 21, 2017
His research showed that the malware is able to take complete control of infected Macs and run commands in the background. Fruitfly is even able to kill it's own processes in what is thought to be an effort to avoid detection. Wardle also found something very interesting and disturbing about the malware, "The most interesting feature is that the malware can send an alert when the user is active." With that capability, the attacker could avoid using the system to prevent being discovered, a feature that Wardle says he hasn't seen before.
The malware also has features that allow it to take screenshots of varying quality, something said to be useful for low bandwidth connections and to evade detection on a network. From the early data gleaned from Wardle's research, it appears that 90% of the infected Macs are in the US and that there are no obvious connections between users.
While the malware is said to have the hallmarks of a nation state attacker, Wardle thinks that it is more likely operated by a single hacker who wants "...to spy on people for perverse reasons..." There is no indication of just how many Macs are infected with Fruitfly, but Wardle is working with law enforcement and has handed over a list of infected users and command and control servers. Wardle will be speaking about Fruitfly in Las Vegas this week at the Black Hat conference.
