Fruitfly Malware Spies on Mac Computers

Fruitfly

A new malware dubbed Fruitfly has been spotted creating backdoor access to biomedical research facilities. Fruitfly can affect Mac computers and is also liable to affect Linux OS. The malware’s focus is not to damage the system or extort money from its users’. Instead, its primary purpose seems to be surveillance. What is interesting about this malware is that it has remained undetected for many years. Another interesting point is that Fruitfly has been specifically targeting systems in the biomedical field.

According to the Malwarebytes analyst Thomas Reed, the malware appears to have been around for quite some time. By analyzing some of the comments in one of Fruitfly’s files, Reed concluded that the malware has been circulating before Mac OS X 10.10 release. Another indicator of the malware’s age is its use of outdated functions. However, all this is speculation, and the exact age of the malware is yet to be determined. As of yet, it is unknown how the Fruitfly malware distributes itself. So far the malware has only been spotted targeting biomedical research centers. However, due to its existence being revealed, I believe it will be located in other sectors.

 if(/_(tcp|udp)\S*\s+(_\S+)$/){ $s="$2._$1"; }
 elsif(/icloud\.com\.\s+(_[^\.]+\._(tcp|udp))\.\d+\.members\.btmm$/)
    { $s=$1; } # changed in yosemite
 elsif(/icloud\.com\.\s+\.\s+_autotunnel6$/){ next; }

Analysis showing Yosemite(Mac Os X 10.10) comment. Source: https://blog.malwarebytes.com/

The malware contains a .plist and client file. The plist file acts as a launch agent while the client file is an obfuscated Perl script that connects to a command and control(C&C) server at a domain named eidk.hopto.org. The script includes commands that allow for the monitoring and control of input events such as keyboard keys, mouse clicks, and access to webcams. It also has the capabilities of downloading additional script that allow it to map and monitor devices on the local network. Due to the malware containing Linux shell commands, it is also capable of running on Linux to an extent.

~/.client
SHA256: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044
 
~/Library/LaunchAgents/com.client.client.plist
SHA256: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3

Fruitfly files. Source:https://blog.malwarebytes.com/

So far, it seems the primary purpose of Fruitfly appears to be surveillance. The group or organization responsible for it has yet to be identified. Reed mentions that there is a possibility that this is a state sponsored espionage campaign. I believe another possibility could be corporate espionage by competing biomedical institutions. Given the vast amount of money that goes into R&D, these two assumptions are not implausible. Another theory I have, and this one is far-fetched, is that this was done by a single actor or group in order to sell the information for financial gain. If that was the case, then that is one hell of a lucrative heist.

Leave a Reply

Your email address will not be published. Required fields are marked *