The malicious code was discovered by Malwarebytes after one of its IT administrators identified a strange pattern of incoming network traffic from a compromised Mac. Reportedly, this malware has been designed to capture screenshots, compromise the webcam of Mac machine and simulate key presses and mouse clicks. Apart from these features, it also performs the regular malware function of providing the attacker or hacker the ability to remotely control the device.
According to a blog post from Malwarebytes researcher Thomas Reed, neither his firm nor Apple have yet discovered how this malware is being distributed. What they have managed to identify though is that it is based upon old-school coding techniques, which are so old that probably date back to the time when the Mac OS X was launched in 2001.
The most disturbing aspect is that Fruitfly also contains Linux shell commands and when Reed tried to run the malware on Linux machine, it worked “just fine” and only the Mac-specific code didn’t run. This means, the malware developers didn’t know much about the Mac system and they used old documentation for its development.
“The presence of Linux shell commands in the original script suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample,” noted Reed.
Fruitfly is a relatively simplistic malware as it uses just two files; there is a .plist file that serves as a launching agent while the other is .client file, which runs all the time. The .client file serves as an obfuscated Perl script through which the contact with the command and control server is made.
According to Reed, this script includes code for “taking screen captures via shell commands…it this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.”
Reed noted that despite the fact that this malware is spotted easily, somehow it has remained undetected for a pretty long time. In fact, he stated that the malware had been successfully compromising Mac systems for the past few years. He further added that this is not merely speculation but a reality since the malicious code of Fruitfly was modified when the cyber-criminals wanted to address OS X Yosemite, which was released in October 2014. One reason that explains the undetectable nature of this malware is that it was used in limited proportion on strictly targeted machines.
The main purpose of infecting Macs with Fruitfly was to perform spying operations and biomedical research institutes were its main targets. When a Mac is infected with Fruitfly, it acquires information from local networks and all the devices that were connected with it. The malware downloads a Perl script that is launched from the command and control server and utilizes mDNS to create a map of other devices connected to the local network. It can easily extract their names, IPv4 and IPv6 addresses as well as the ports in use. The good news is that Apple has released a timely update that will protect Mac systems from this malware.