New Surveillance Malware “FruitFly” Is a Nearly Undetectable Mac Backdoor

Charles McFarland contributed to this blog

Mac malware outbreaks used to be viewed as a rarity. However, the last few years have seen Mac-focused threats steadily on the rise. In fact, our McAfee Labs Quarterly Threats Report showed instances of Mac malware growing by a huge 744% in 2016. Fast forward to the summer of 2017, and a new and powerful strain of Mac malware has hit the scene. Named FruitFly, the threat has only recently been detected by researchers, despite being around for years. The malware is highly-invasive and capable of taking complete control of an infected Mac.

FruitFly malware works as a traditional RAT (remote access trojan). Once it infects a Mac, this RAT creates a backdoor and helps the attacker control the infected device through the Command and Control server (C&C or C2) by sending its system commands. These commands include taking screenshots of the display, remotely switching on the webcam, and modifying files. What’s more — later versions of FruitFly seem to have the ability to control mouse movements and interactions with the infected machine.

Though powerful, FruitFly is primarily old fashioned. It partially utilizes the Perl programming language, which is not commonly used anymore. Additionally, the open source libjpeg code, which enables programmers to handle the JPEG image format, can also be found in FruitFly malware samples dating back to at least 1998. This all suggests the programmers have been around for some time.

Who has been impacted by FruitFly so far? Fortunately, only a small number of users are known to have been targeted by both old and new variants. Biomedical personnel were the main target of the first variant and users at home were the target of the later variant. However, smaller, tailored FruitFly campaigns may continue to persist for a while, which means all Mac users need to be vigilant. Additionally, much of the code written for FruitFly is cross platform, meaning that it can also run on Linux. While the current version does not run fully on Linux, there are only a few necessary changes to make it viable. This suggests a Linux variant may exist or is planned.

The good news is there are a few things users can do to stay protected from FruitFly. First off, users can protect against older variants just by updating a Mac to include the latest patch. Newer variants still require detection and prevention, which means users need to run up-to-date security products.

For McAfee customers – our solutions detect both the dropper and the sample itself from the both old and new variants. The latter is detected using our cloud technology Artemis.

To learn more about this attack and Mac malware, follow us at @McAfee and @McAfee_Business

Leave a Comment

5 + 17 =