Six months after it was discovered, the first Mac malware of the year is still causing a stir.
The recently discovered Fruitfly malware is a stealthy but highly-invasive malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer -- files, webcam, screen, and keyboard and mouse.
But despite its recent discovery, little is known about the malware.
Given how rare Mac malware is, especially one with all the hallmarks of what could be a nation state attacker, Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, got to work.
The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said.
Nevertheless, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.
But what it does, and why, aren't widely known.
"It's not the most sophisticated Mac malware," said Wardle in a Signal call last week, but he described it as "feature complete." Like others, he wasn't sure what the malware did exactly on first glance.
Instead of reverse-engineering the malware's code to see what it did, he took a novel approach of creating his own command and control server to interact directly with a sample of the malware in his lab.
A selection of the computers, their username, and computer's name infected by the Fruitfly malware. (Image: Patrick Wardle/Twitter)
"I had to figure out how to create a command and control server that could speak the 'language' of the malware," he said. That let him fully deconstruct what the malware did simply by "asking" the malware the right questions, giving him an unprecedented view into its capabilities.
He found that he could take complete control of an infected Mac, including its keyboard and mouse, take screenshots of the display, remotely switch on the webcam, and modify files. The malware can also run commands in the background, and even kill the malware's process altogether -- likely in an effort to avoid detection.
"The most interesting feature is that the malware can send an alert when the user is active," said Wardle, so that the attacker can then avoid interfering with the computer to remain stealthy. "I haven't seen that before," he said. He even found that some commands supported additional parameters.
What he called the "second byte" to each command would offer more granular options. He explained that he could take screenshots of the display of varying quality -- a useful feature for low-bandwidth connections or trying to evade network detection.
He noticed that the malware was communicating out to primary servers that were offline. But some of the backup servers were available.
Armed with his Python-based command and control scripts, he registered some domains, and fired up his servers. And that's when his screen began to fill up with victims' computers connecting to his servers, one after the other.
"I thought -- 'f**k!' -- I have to be responsible here," he said. When the malware connects, you get the IP address, name of the user, and the computer name (which is typically the full name of the user). "I just logged the connections and parsed the computer names, then closed the connection," he said.
The early analysis was that as many as 90 percent of the victims were in the US, with no obvious connection between the users, he said. "It was just a general smattering of users."
But questions remain over where the malware came from, and what purpose it performs.
Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker "with the goal to spy on people for perverse reasons." He wouldn't say how many were affected by the malware, but suggested it wasn't widespread like other forms of malware.
He also wasn't sure on the exact delivery method of the malware, but suggested it could infect a computer through a malicious email attachment.
Wardle has since informed and is now working with law enforcement on the matter, handing over the list of victims and command and control servers.
"You have to realize that this kind of re-exposes the fact that you can be an ordinary person and still be victim of a really insidious attack," he said. "This is just another illustration that Macs are just as vulnerable as any other computer."
In part for that reason, Wardle spends his spare time developing free-to-download Mac tools to protect against this kind of attack, including Oversight, which notifies users when their microphone or webcam becomes active; essentially protecting against some of the features of this malware.
"It's not surprising that this malware wasn't detected for five or more years, because current Mac security software is often rather ineffective," he said. "Most don't even look for this kind of activity."