Dubbed as Fruitfly or Quimitchin, the malware was identified by chief research officer at Digita Security, Patrick Wardle, and was found in at least 400 computer devices across the United States while it affected Windows, Mac and Linux based devices. Reportedly, the malicious software spied upon unsuspecting citizens for decades.
Law enforcement officials are investigating what appears to be a malware outbreak specifically targeting Mac users, which has thus far infected an unknown number of Macs owned by individuals and educational institutions in the United States, according to a report published Monday by Forbes. While it’s unclear exactly how the malicious code ultimately made its way onto the infected machines, or whether its intentions are perverse or government-related in nature, one cybersecurity expert is cautioning that the outbreak (dubbed ‘FruitFly’) could prove to be more far-reaching than initially thought.
Those sentiments were delivered by Patrick Wardle, a former NSA analyst who’s now a cybersecurity research partner with Synack. Wardle alleges that he’s seen “about 400 individual cases” of the ‘FruitFly’ malware so far; however, citing his limited access to “a handful of servers” upon which the malicious code is being hosted, he conceded that there could be many more cases. Wardle says he was able to identify the +/-400 victims of FruitFly when he accessed one of server domains that hackers were allegedly planning to use as a backup when primary host servers were offline.
Wardle explained to Forbes that he was then able to identify the IP addresses of primarily (90%) U.S.-based victims, as well as the names of those victims’ Mac computers, which he says made it “really easy to pretty accurately say who is getting infected.” Once the scope of the situation became clear, Wardle says he passed the information along to the appropriate law enforcement authorities; and he plans to present his findings later on this week at the 20th annual Black Hat information security conference in Las Vegas.
Jul 25, 2017 Apple released security patches for Fruitfly earlier this year. Reuters/Yuya Shino. After further investigation on the malware, former NSA hacker and the current chief security officer at Synack, Patrick Wardle, was able to uncover new details about Fruitfly. According to him, the virus is not 'the most sophisticated Mac malware.' Jan 18, 2017 The team over at Malwarebytes has recently discovered what they’re calling “the first Mac malware of 2017”. The Fruitfly malware has been using antiquated code. American Apple Mac computers have been hacked with FruitFly malwareForbes reports. The hack is thought to be for surveillance as hackers were able to jump into the webcams of the affected computers and take screenshots, though the FruitFly malware has the ability to take over the entire computer. Jan 13, 2018 Phillip R. Durachinsky, of North Royalton, Ohio, is alleged to have used Mac malware known as “Fruitfly” to remotely control victims’ computers, access. Jul 25, 2017 A new mysterious strain of macOS and OS X malware dubbed Fruitfly went undetected by malware researchers and security software for at least five years. Fruitfly is a backdoor that could be used by attackers to gain full control over the infected systems by implementing many spying features. Fruitfly has the ability to capture screenshots, keystrokes, webcam images, and steal data from the. Aug 23, 2018 However, as we’ll see in this post, Fruitfly can easily be re-used by other attackers, and despite being discovered some 18 months ago after an unprecedented 13-year run in the the wild, it is not currently detected by Apple’s XProtect or removed by their MRT.
What Is FruitFly?
The primary intent of FruitFly appears to be surveilling and spying on its victims by recording their actions or capturing screenshots through their Mac’s FaceTime web camera. Wardle believes the malware was created “with the goal to spy on people for perverse reasons.” While it sounds startling, to be sure, Wardle believes that this particular outbreak doesn’t allude to behavior indicating it’s a cybercrime — particularly because there was no presence of “ads, keyloggers, or ransomware” hidden within the code. But rather, “Its features had looked like they were actions that would support interactivity: it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.”
Citing comments discovered in the malware’s code that referenced updates for Mac OS X Yosemite (released back in 2014), Wardle believes that the present outbreak of FruitFly may be a variant of an older Apple spy tool, which suggests that the malware could have been present even before then. He admitted, however, that without sufficient insight into the behavior of other servers (which could also be host to the malicious code), it’s difficult to determine the broader scope of the outbreak.
Whether Apple knows about the issue or not remains unclear, however when reached for comment by Forbes the company did not respond.
How to Protect Yourself
While FruitFly’s creators and their motivations remain unknown, it appears to Wardle (at least on the surface) that the hackers simply want to spy on “random individuals” through their web cameras. And so, we highly recommend either adding a cover to your Mac’s FaceTime camera, and/or manually disabling the camera altogether.
Newsletter
Subscribe to our Threatpost Today newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Infosec Insider Post
Fruit Fly Hack Machine
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Fruit Fly Hack Machines
Sponsored Content
Fruit Fly Hack
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.