Researchers have uncovered an odd piece of OS X malware that includes some very old functions and may have been used in highly targeted attacks for some time.
The malware is nothing fancy, and in fact is quite simple in its construction and functionality. Called Fruitfly by Apple, the malware may have been in use for at least two years, specifically in targeted attacks against biomedical research facilities. The malware doesn’t have a long list of functions, but the one thing it seems to focus on is taking screenshots and activating the webcam to capture videos. Fruitfly comprises just two files, one of which is a client and the other of which is a launch agent.
The client file is a perl script that’s been obfuscated, and contains a domain name that’s used for command and control. Researchers at Malwarebytes, who analyzed the Fruitfly malware, said it also contains some hints that it could run on Linux systems.
“The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac ‘screencapture’ command and the Linux ‘xwd’ command. It also has code to get the system’s uptime, using the Mac ‘uptime’ command or the Linux ‘cat /proc/uptime’ command,” the analysis by Thomas Reed of Malwarebytes says.
“The most interesting part of the script can the found in the __DATA__ section at the end. Found there are a Mach-O binary, a second perl script and a Java class, which the script extracts, writes to the /tmp/ folder and executes. In the case of the Java class file, it is run with apple.awt.UIElement set to true, which means that it does not show up in the Dock.”
“There are indications that this malware has been circulating undetected for a long time.”
Reed said the malware downloads a script from a remote server that includes a function to map other devices on the infected machine’s network. The malware attempts to connect to those other devices, as well. Fruitfly also includes a number of functions that Reed says are from the late 1990s, as well as some hints in the code that indicate the malware may be a couple of years old, at least.
“There are other indications that this malware has been circulating undetected for a long time. On one of the infected Macs, the launch agent file had a creation date in January of 2015. That’s not strong evidence of the true creation date, though, as those dates can easily be changed,” Reed said.
“Further, there is a comment in the code in the macsvc file that indicates that a change was made for Yosemite (Mac OS X 10.10), which was released in October of 2014. This suggests that the malware has been around at least some time prior to Yosemite’s release.”
Apple has released an update to detect Fruitfly, and Reed said the malware’s files are easy to find on an infected machine. As to why it hasn’t been found before, Reed has a theory on that, as well.
“The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage,” he said.
