Search the Community
Showing results for tags 'fruitfly'.
Found 2 results
steven36 posted a topic in Security & Privacy NewsFruitFly, a piece of Mac malware that infected thousands of machines over the course of more than 13 years, was being distributed via poorly protected external services. First detailed in early 2017, FruitFly (also known as Quimitchin) targeted individuals, companies, schools, a police department, and the U.S. government, including a computer owned by a subsidiary of the Department of Energy. In January this year, the U.S. Department of Justice indicted Phillip R. Durachinsky, an Ohio resident, for using the malware for more than 13 years for nefarious purposes. The man would abuse FruitFly to steal personal data of unknowing victims and spy on them, and even to produce child pornography. Durachinsky allegedly leveraged the malware to control the infected machines “by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” the DoJ said in January. While the threat’s capabilities were clear to the researchers who analyzed it, the only thing they couldn’t explain was the infection vector. A newly discovered “flash alert” (PDF) that the Federal Bureau of Investigation (FBI) sent in March last year, however, solves the mystery: Durachinsky targeted poorly protected external services to install the malware onto his victims’ machines. “The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches,” the alert reads. Discovered by Patrick Wardle, co-founder and chief research officer of enterprise macOS security company Digita Security, the document reveals that, in addition to using the malware to spy on victims, Durachinsky was leveraging the infection to target additional systems. Basically, he scanned the Internet for Macs with exposed ports that he could exploit and then attempted to connect to these systems using weak, known credentials. Once a system was compromised, he then attempted to persistently install the malware. The targeting of poorly protected remote access protocols for malware installation isn’t a new technique. In fact, there are millions of endpoints exposing ports associated with the Remote Desktop Protocol (RDP) and this type of attack even surpassed spam in popularity among ransomware operators. Source
Apple Mac malware outbreaks are rare. So when they happen, people pay attention. Law enforcement agents are now investigating what appears to be a slice of malicious code that’s been hitting Mac users in recent weeks and appears to be purely for targeted surveillance, though it’s unclear whether it’s for perverse reasons, or if it’s government-related. Patrick Wardle, an ex-NSA analyst who now does research for cybersecurity firm Synack, says he saw around 400 infections, but there’s likely many more as he only had access to a handful of servers used to control the malware, dubbed FruitFly. “I likely only saw a limited percentage of the total number of victims,” Wardle said. The Highest Paying Cash Back Card Is Here See The Top Rated Card Sponsored by CreditCards.com He was able to uncover FruitFly victims after registering one of the domains the attackers had planned to use as back up when the primary servers were offline. For whatever reason, the hackers didn’t own the domain. From there, Wardle could see victim IP addresses, 90% of which were located in the U.S., he told Forbes. He was also able to see the name of victims’ Mac computers too, making it “really easy to pretty accurately say who is getting infected.” Most appeared to be individuals, though there were some at colleges too, he said. As soon as Wardle saw active infections, he handed what he found to law enforcement. He’ll present his findings at the Black Hat conference taking place later this week. He believes surveillance was the primary purpose of FruitFly, which could spy on the webcam of the user and take screenshots. “This didn’t look like cybercrime type behaviour, there were no ads, no keyloggers, or ransomware,” he said. “Its features had looked like they were actions that would support interactivity: it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.” Old Apple spy tool It appears to be old malware too, said Wardle. Comments in the FruitFly code included references to updates for Mac OS X Yosemite, first released in 2014, indicating the spyware was running before that. Outside of a lack of insight into the other servers, which could push the infections numbers up drastically, it’s also as yet unclear how FruitFly has infected Apple Macs. Apple had not responded to a request for comment. FruitFly has been seen before too. MalwareBytes first detected it earlier this year apparently targeting biomedical research centers. “The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” wrote MalwareBytes researcher Thomas Reed in January. “Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.” But there’s no indication just what the motivations of the malware’s creators are. Looking at the code alone, it may be they’re simply trying to spy on random individuals through their webcams. http://www.msn.com/en-us/news/technology/creepy-fruitfly-surveillance-malware-hits-american-apple-macs/ar-AAoLc7e