Malware for Mac remained in the shade for years, could spy on users
An old, simple malware but wrapped up by a mystery mist: it has remained in the shade to the present day, and its creators seem to have abandoned it. Origin is not known, not even the purposes.
An insidious and mysterious malware, capable of putting in the hands of attackers control over webcams, keyboards and other sensitive resources, infected an unknown number of Mac systems for at least five years remaining in the shade up to our days when a security researcher, Patrick Wardle, came across the threat and tried to shed some light on what it was.
Malware would be a variant of a threat detected in January and baptized by Fruitfly. Both variants perform the same functions: capture screenshots, keystrokes, webcam images, and information about infected machines and those connected to the same network. The Malwarebytes security company had discovered that Fruitfly infected four Mac systems, and Apple had upgraded MacOS to automatically detect malware.
The variant identified by Warlde has compromised at least 400 machines, which could actually be many more. The unusual aspect of the story is that this malware has never been detected either by MacOS or by commercial security suites, and at the present state of things seems to have been abandoned by its creators as well.
Wardle has found various hardcoded domains within the malware, at the time of discovery still accessible. Wardle then registered one of the addresses identified to check if and how many Macs were infected and then could communicate with a owl server set up behind the domain.
Given the malware abandonment, the main command-and-control server has been deactivated, but many of the infected Macs have never been cleaned up and consequently, connected to the octet server as soon as it became available. The researcher was able to find approximately 400 servers connected to the server, mainly systems installed in homes in the United States.
However, there is a mystery about this variant of Fruitfly: its origin is unclear, infectious carriers are not known (even if you think of something uncomplicated as social engineering techniques to induce potential victims to click on malicious links and not on exploitation and falsification mechanisms), and neither is the purpose known.
Wardle claims that he has not found any indication that malware could be used as a tool to install ransomware or tools to collect banking information, which excludes profit. The concentration of home systems also exposes the possibility that malware has been executed by some spy-dominated hackers for espionage purposes.
The researcher shared all his discoveries with the authorities and said that all known domains associated with malware are no longer available, a measure that is neutralizing the threat posed by Fruitfly. Wardle will hold a meeting at the Black Hat Security Conference in Las Vegas, which will open in the next few days where he will investigate what has been discovered during the malware investigation.
The most peculiar aspect is that this Fruitfly variant has remained in the shade for a long time. And it is even more unusual if you think that malware is based on substantially ” old ” functions and mechanisms and that new and more sophisticated malware should be much easier to detect.