Mac OS Malware: Fruitfly

haley-for-sentinelone · 2017-12-11T21:30:23.000Z

It’s rare to find malware that is designed to compromise the infrastructure of a Mac operating system, but in our recent blog post we discuss a malicious form of malware dubbed Fruitfly has recently emerged designed to do exactly this.

As the write up mentions, in most cases, malware designed to compromise Mac OS was simply a proof of concept to show that the underlying architecture was fundamentally insecure and eliminate the false sense of security that Mac users sometimes have.

Fruitfly was first discovered by accident, as explained in a previous Hacker News article , but the malware has been researched more deeply and some startling information has been discovered.

How It Works
The underlying coding of the malware relies on the legacy application Perl, which is discussed in detail in a Malwarebytes Lab’s blog pos t earlier this year. Once executed, the malware connects to a command and control server. From that server a hacker can then remotely view, control and lock the Mac computer. This includes the ability to remotely control the webcam in iMacs and take and store photos without the user suspecting.

How It’s Delivered
Like most malware, Fruitfly is delivered via phishing emails where the user clicks on an unknown attachment, and is also delivered through malicious websites via drive-by downloads, or watering hole attacks. Once delivered, the software becomes essentially a remote surveillance tool.

How to Protect Your Machine
As mentioned in the write up, this particular exploit existed for years before being noticed. Now, Apple has released a patch to fix Fruitfly and prevent the code from being executed. If you update your Mac OS to the latest version, this exploit will no longer be able to connect to the command and control server, rendering the malware useless.

So SpiceHeads, now I’m curious to know if you have seen any interesting updates or further research that has been done around Fruitfly? Are there any similar Mac OS threats that could be more than a proof of concept that you have been following updates on lately?

maxsec · 2017-12-11T21:39:49.000Z

It’s getting more and more popular with the bad guys as Win10 has upped it’s game. Mac’s have a soft underbelly and don’t implement alot of the modern anti malware like aslr well or at all

It’s just been a matter if time before these issues came to light

dbeato · 2017-12-11T22:57:15.000Z

I had not heard of it, I posted it on Twitter.

dataless · 2017-12-12T02:14:05.000Z

Still works out to a system like OS X Exploit found, it was patched within days or hours. 10,000 new exploits found for Windows, we patched 100 of them. We’ll get around to the rest when they become damaging enough, maybe.

edwin10dam · 2017-12-12T11:28:44.000Z

Sigh.

A bit of Perl script that the user needs to download and run; blocked in macOS & detected by only 30/59 according to VirusTotal. Not SentinalOne by the way according to VT!

haley-for-sentinelone · 2017-12-20T20:31:05.000Z

Martin2012:

It’s getting more and more popular with the bad guys as Win10 has upped it’s game. Mac’s have a soft underbelly and don’t implement alot of the modern anti malware like aslr well or at all

It’s just been a matter if time before these issues came to light

True, I wouldn’t be terribly surprised if we started hearing about more of these kinds of malicious threats in the coming months.