InfraGard recently put out a Flash Alert for a piece of malware called Fruit Fly. I sat through this briefing during last year’s Black Hat/DefCon conference and this malware is unique because it can live in an environment for months, if not years, undetected. There are no ransomware screens alerting the user that they’ve been infected or the ominous blue screen of death. It was first discovered in January of 2017 by Thomas Reed who works for Malwarebytes, who’s also a top Mac OS security researcher and conducted the initial analysis, but since then other variants been identified, dissected, and monitored.
How Does It Work?
The main objective of the Fruit Fly malware is to spread, create backdoors, control infected machine’s mouse and keyboard, alert the controller when the end user is interacting with the machine for obfuscation, and invoke monitoring capabilities that are targeting vulnerable Mac OS machines. Based off the conclusion of the researcher and DefCon presenter Patrick Wardle, this is targeting normal, everyday users to monitor them through their webcams and screenshots.
The way Wardle was able to reverse engineer this malware wasn’t through standard practices of using disassemblers and debuggers, but rather through a much more efficient process. He began by creating custom MAC OS monitoring tools, mainly to find out what type of protocol the malware was speaking and, secondly, where the malware was trying to connect back to. Once that information was gathered, the next step was to create a custom Call and Control server (think of a mother ship or the Droid Control Ships controlling the Droid Armies in Star Wars) in a lab environment. This Call and Control server would be used to send commands to the malware with the goal of identifying and revealing its capabilities and full potential. After understanding how to manipulate the mouse, keyboard, camera, and how to capture and send screenshots and other processes, the next progression was to put the Call and Control server on the internet to see who would connect and what would happen.
Once the Call and Control server was put on the internet, it immediately had infected users check-in and announce it was ready to receive commands. Luckily, this information has been shared with law enforcement officials to help and assist in the detection and prevention of such malicious surveillance malware. It was not disclosed as to how many users have been infected or the exact delivery method, but the consensus is that the attack vector is through email. I first heard about this vulnerability and malware at the briefing in July 2017 and then again recently where it has been flagged by the FBI as a Flash Alert.
What can be learned from these old and new threats?
- Mac OS is not exempt from vulnerabilities
- Run current and supported version of OS
- Stay up-to-date on patches and updates
- Employ a vulnerability management program
- Have a layered security approach
- NGFW / NG IDS/IPS
- Secure Internet Gateways
- Secure Email Severs
- DNS Security to catch communications to C&C server
- Endpoint Security
- Network Visibility
- Awareness Training
You can access the free open-source OverSight - Mac Tool for Mac Users developed by Patrick Wardle here.
If you think your network has been exposed to Fruit Fly or are wanting more information on how you can integrate a vulnerability management program or layered security approach into your security practice, reach out to our Security Team today.
About the Author
Derrick Whisel has worked in IT for over 20 years, with extensive experience in project engineering, management, scoping, budgeting and design. He began his career in the military, and after being honorably discharged as an IT2 Second Class Petty Officer, moved into the private sector where he now works as a Senior Technology Advisor, Security Solutions with Internetwork Engineering heading up their Security practice. Connect with Derrick on LinkedIn.