Fruitfly macOS and OS X backdoor remained undetected for years

A new mysterious strain of macOS and OS X malware dubbed Fruitfly went undetected by malware researchers and security software for at least five years.

Fruitfly is a backdoor that could be used by attackers to gain full control over the infected systems by implementing many spying features.

Fruitfly has the ability to capture screenshots, keystrokes, webcam images, and steal data from the infected Mac.

Patrick Wardle, chief security researcher at Synack and former NSA analyst, has analyzed a sample of the malware and will present his findings this week at the hacking conference Black Hat.

The expert has built a custom command and control server to examine the FruitFly backdoor, he announced the release a number of tools used for his analysis, including a user-mode process monitor.

It has been estimated that the number of infected devices is roughly 400 and likely much higher.

““[FruitFly] was designed in a way to be interactive,” explained Wardle “This can move the mouse, generate presses and interact with the UI elements of the operating system.””

The FruitFly sample analyzed by Patrick Wardle is a variant of a malware that was spotted in January by experts at Malwarebytes after being undetected for at least two years.

After the discovery of the malware in January, Apple updated macOS to automatically detect the malware, but the strain of malware found by Wardle remained undetected by macOS security system and antivirus products.

The Fruitfly malware relies on functions that were deprecated long ago and uses a crude method to gain persistence. Compared to other Mac malware it is much easier to detect.

A submission to the VirusTotal malware detection service shows that only 22 out of 57 Antivirus are able to detect the malware.

The analysis of the malware allowed Wardle to decrypt several backup domains that were hardcoded, and the good news is that the domains remained available allowing him to register one of them.

The expert set up a “sink hole” with the registered domain and noticed that close to 400 infected Macs connected to the server, most of them from United States.  Although Wardle did nothing more than

Wardle explained that the was able to send commands to the infected machine to spy on the victims, but he did not do it to respect their privacy.

Wardle explained that the method of infection is still unknown, he suspects the victims were tricked into clicking malicious links.

Wardle also explained that it is still unclear the real motivation of the attackers, the malware in fact, is not able to steal payment card data or to deliver other malicious payloads to monetize the effort of the attackers (i.e. ransomware).

Anyway the fact that the malware targets home users led the researchers to exclude the involvement of a nation-state attacker.

“I don’t know it if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored teenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for perverse reasons.”

The researcher believes that Fruitfly was therefore abandoned by its creators, but the victims are still exposed to anyone who is able to impersonate a C&C server included in the list of hardcoded domains.

Wardle reported his findings to law enforcement and all hardcoded domains are no longer available to avoid abuses.

Wardle developed a set of tools for its investigation, such as BlockBlock for detecting persistence mechanisms and OverSight for detecting webcam alerts.

Don’t miss the Wardle speech at the Black Hat Security Conference in Las Vegas, it is titled Offensive Malware Analysis: Dissecting OSX/Fruitfly via a custom C&C Server.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  (Fruitfly, Mac OS backdoor)

[adrotate banner=”13″]