Malware

New FruitFly Malware Variant Dragged from the Shadows

Posted on July 26th, 2017 by

FruitFly Mac Malware

Earlier this year in January, security researchers uncovered malware that had likely evaded detection for years. Labeled OSX/FruitFly.A by Intego, this malware slinked back into the shadows not to be seen again since it was initially discovered; that is, until now. Patrick Wardle, a security researcher and former NSA hacker, has discovered another FruitFly variant, and this one may have been around as long or longer than the original variant found in January.

Dubbed FruitFly.B, this new variant appears to have the same functionality as its predecessor. The malware can perform the following actions on an infected Mac:

  • Take screenshots in various qualities
  • Record keystrokes
  • Take pictures with the webcam
  • Modify files
  • Collect information about the infected Mac

"The most interesting feature is that the malware can send an alert when the user is active, so that the attacker can then avoid interfering with the computer to remain stealthy. I haven't seen that before," Wardle told ZDNet.

With most of the Command & Control (C&C) servers no longer active, Wardle wrote his own code and registered domains that previously belonged to the (C&C) servers. This allowed him to intercept the malware's traffic.

As soon as his C&C servers came online, his screen began filling up with data from Macs in the wild that were infected with FruitFly. Instantly sitting on potentially private and sensitive data from the victims out there, he logged the connections, parsed the computer names, and then closed the connection to make sure no further data would be received.

Early analysis shows 90% of the victims who connected to his C&C server are in the United States and do not appear to be connected.

fruitflyServer

A selection of computers, usernames, and computer names infected by FruitFly.B malware. Image credit: Patrick Wardle

Finding a common connection between infected Macs can help track down where the malware may have originated, but in this case it is not possible. FruitFly could have been spread via malicious email attachments and, as Wardle said, it is most likely operated by a single hacker "with the goal to spy on people for perverse reasons."

This new variant is known as FruitFly.B, and at the time of writing, Apple has not addressed it in its XProtect or Malware Removal Tool signatures. Intego already protects its customers from both FruitFly variants. Intego VirusBarrier will identify and eradicate the malware as OSX/FruitFly.A and OSX/FruitFly.B, regardless if the variant is an executable, a Perl script, or a Java class.

The first variant was found by a network security team, the second by a security researcher. These researchers analyze suspicious behavior of files and network traffic, and in the case of anti-virus companies, write the malware signatures for the software that protects your Mac. Even so, full computer security requires a layered approach to defend against all types of attacks.

How to secure your Mac with layers of protection

Not everyone has a dedicated network security team and IT admin available, but what if you could have that? Your own network security team sounds expensive, doesn't it? A team of people that all need to be paid, the hardware required for them to do their jobs, it adds up quick! So what the next best thing? Software network security, of course!

With a variety of threats targeting you nowadays, the best defense is implementing layers of protection, and that's how you should judge potential security software solutions. Anti-virus can stop malicious files, but it's not enough to prevent the other worries from filtering through and ruining your stuff.

Below are a few examples of different layers of protection, and each provides a layer of security in their own way. You are not limited to just one or two layers, you can add as many as you like so long as they do not interfere with each other.

Let's have a look at the layers of protection included with Intego's Mac Premium Bundle:

Intego NetBarrier

Intego NetBarrier X9Running Intego NetBarrier on your Mac is like having your own personal network security, only a lot more affordable. No team to pay and the hardware it needs is the one you already have. NetBarrier can flag both incoming and outgoing connection attempts, so in the case of hidden malware not currently detected by any commercial anti-virus software, you would quickly be made aware of its existence when it attempts to perform a network scan or contact external C&C servers. A sophisticated two-way firewall like NetBarrier adds a very good layer in your security, and it keeps hackers out of your Mac.

What about an IT admin? Surely those don't come cheap and good ones are hard to find. Luckily, you can get firewall software like NetBarrier that watches your Mac for any malicious activity, and while not an actual skilled IT admin, it can alert you about malware before an IT admin has to get involved.

Intego VirusBarrier

VirusBarrier X9 iconWatching your Mac around-the-clock for any hints of malware and potentially unwanted programs (PUP's), Intego VirusBarrier is a valuable layer of protection. The anti-virus software prevents malicious files from infecting your Mac. Downloads, email attachments, external drives and even the flash drive that someone might be plugging into your Mac with less-than-honorable intentions are all scanned.

VirusBarrier is a sophisticated anti-virus software that prevents malicious files from infecting your Mac, but don't rely on it to stop hackers—that's a job for NetBarrier—and you should be sure to secure your sensitive data, too.

Mac Washing Machine

Mac Washing Machine X9 iconA cluttered hard drive means a more stressed out hard drive. It has to work harder to find the files you request, runs hotter because of it, and ultimately its lifespan may be reduced significantly. All this is amplified as less space becomes available on the drive. Enter Mac Washing Machine, simple to use software that makes it easy to get rid of junk files that slow down your Mac, as well as duplicate files that take up needed space, and even applications you never use. As an added benefit, Mac Washing Machine also helps you stay organized and can automatically organize your heap of Desktop files into the right folders.

Hard drive failure means you can lose your data, and ultimately what Mac Washing Machine does is protect your data by relieving common stressors on your hard drive.

Personal Backup

Intego Personal Backup X9 iconSpeaking of data security, if you do suffer a hard drive (or solid state drive) failure, a backup will dictate how much of your data is recovered and how recent that data is. Of course, you're already using macOS's built-in Time Machine feature, but what if both your Mac and backup drive are destroyed in a fire or encrypted by ransomware? Malware, hackers, or system issues can all corrupt or delete your important files, leaving you with nothing. Therefore, you want to backup your data in multiple places (because two backups are better than one), and one of those places, preferably, should be off-site. Personal backup can help you do just that.

If you have multiple hard drives, flash drives, local servers, remote servers or another Mac you want to keep in sync, Personal backup can create a safe copy of your data on it. It's incredibly flexible, and it can handle almost any backup schedule you want! Together, with Apple's Time Machine, this one-two punch ensures you don't lose any important files.

ContentBarrier

ContentBarrier X9 iconThere is a layer of protection that is often overlooked because not everyone needs it, and it's the security of your children. Having an anti-virus, firewall and a solid backup strategy will keep your data safe, but those layers are not properly equipped to keep your child shielded from all the inappropriate content they can be exposed to online. Intego ContentBarrier was designed for just that purpose; with content filtering and parental controls, you don't have to worry about what sort of Internet content your children can access.

ContentBarrier's configuration is very flexible and enables you to block specific categories of websites, such as Adult, Gambling, and more. Its anti-predator chat monitoring is a very powerful feature as well, which monitors all standard chat protocols and can recognize certain words, phrases or abbreviations that may indicate objectionable or inappropriate things are discussed that could lead to trouble. Instant notifications mean you can ensure your child's online safety by instantly blocking online access even when you're not home.

What about macOS built-in security features?

macOS Sierra iconHardening your macOS installation itself will add several layers of protection, too. This includes enabling automatic updates, using encryption features like FileVault, setting a screensaver password, disabling Bluetooth when not in use, and keeping plug-ins like Flash Player and Java off your system. By using multiple layers of protection, you're keeping your digital life safe, clean, and secure.

These are just a few layers you can enable to keep your data, privacy, personal information and children safe. "The best security comes in layers" is not just a phrase we throw around in the security community, it's true and has been proven effective many times over. With security coverage from multiple angles, it becomes very hard for existing or yet to be discovered malware to infect your Mac.

Layered security can be implemented at any time. During the first setup of your Mac or further down the road, these layers can be implemented quickly and easily. Spending 10 minutes implementing it now can save you hours or days of troubleshooting down the road. Give it a try and let us know which security layers are protecting you!

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}