Endpoint

1/19/2017
05:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Old-School Mac OS Malware Spotted Targeting Biomedical Industry

Apple patches Mac OS for retro and stealthy 'Fruitfly' malware.

Apple has quietly issued a security fix for a new yet retro-looking malware sample recently found on a Mac machine sitting in a university health center.

The so-called FruitFly malware, analyzed and detailed in a blog post yesterday by Malwarebytes researchers, thus far has infected at least three biomedical research sites and may have been running on the Mac machine at the university site at least since January of 2015.

"They said they found it because it was making some high-volume, unusual network traffic," says Thomas Reed, director of Mac offerings at Malwarebytes. "It looks like it had been on that computer for a couple of years before being discovered. I don't know if the unusual network traffic was because something [in the malware] was not functioning at that point, or maybe that they [the attackers] had done something new that showed something significant."

Neither the victim nor Malwarebytes know just how the malware got onto the Mac machine, whether it was dropped via some sort of Trojan or if it came via an Adobe Flash Player or other exploit. So the initial infection vector remains a mystery for now.

"That might be the missing piece of the puzzle," says Bogdan Botezatu, a senior analyst with Bitdefender, who studied the findings by Malwarebytes.

But for such a stealthy payload, FruitFly may be one of the most rudimentary malware samples the researchers have seen for some time. It's made up of two files, and the malware basically runs as a process in user space, notes Reed. "It's not even a privileged program; there's no root access. So no vulns are involved there."

The binary uses the open-source "libjpeg" code, which dates back to 1998, which was also the last time that code was updated. The malware takes screen captures, Web cam access, mouse-cursor control, and simulated keystrokes, all of which indicated some sort of old-school remote control function, according to Reed.

Malwarebytes has evidence that FruitFly has been around at least since 2014, and similar malware for Windows servers date back to 2013. "We saw some evidence of the command-and-control for it since 2011," Reed says. "This has been around for awhile."

The retro code design may either be the handiwork of an unsophisticated Mac malware writer, or the reverse: a sophisticated attacker who is purposely hiding in plain sight with older code that wouldn't necessarily capture the attention of modern-day heuristic-detection systems, he says.

Bitdefender's Botezatu says the malware's makeup is "not impressive," so his theory is that there are other components of the attack that have not yet been discovered. "This vector is really simple: it doesn't do much. It takes screenshots, which is de facto behavior for attackers" for instance, he explains.

"What's really odd in this code is that it kind of looks like it was stitched together," he says. "This doesn't look like it has been written by the same person in the same codestream. I think it's been stitched together and taken from different, various places. You might then think that these guys don't know the Mac ecosystem very well."

Both Reed and Botezatu separately say that it could well have been a spinoff from a Linux-based version of the malware. Malwarebytes found Linux shell commands in the original script, although they did not find a Linux sample as yet. "One of our researchers actually took the malware and ran it on a Linux machine … one of the three components was a Mac app and it wouldn't run on Linux. Everything else did," Reed says.

Botezatu says FruitFly's Linux connection reminds him of the KeRanger ransomware discovered for Mac OS X more than a year ago. "It was Mac ransomware that affected initially Linux computers. Then we found it ported for the Mac OS and delivered by an infected transmission controller," he recalls. "That was the first piece of ransomware we'd seen for Macs … We've seen these kinds of migrations recently where cybercriminals started off with Linux payloads and then have adapted to Macs because it's really easy to ... recompile them for Macs."

The takeaway: Mac users should run anti-malware software, both Reed and Botezatu concur. While Mac machines are far less at risk of commercial malware than Windows machines, they're still vulnerable to targeted attacks, adware, and "potentially unwanted programs" (aka PUPS).

If more Macs ran anti-malware, security researchers would have a better look at the threats on those machines, too, Botezatu says. "We have no idea if we don't have those eyes into the Mac space that we have on Windows."

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14339
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the MMSE dissector could go into an infinite loop. This was addressed in epan/proto.c by adding offset and length validation.
CVE-2018-14340
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, dissectors that support zlib decompression could crash. This was addressed in epan/tvbuff_zlib.c by rejecting negative lengths to avoid a buffer over-read.
CVE-2018-14341
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the DICOM dissector could go into a large or infinite loop. This was addressed in epan/dissectors/packet-dcm.c by preventing an offset overflow.
CVE-2018-14342
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the BGP protocol dissector could go into a large loop. This was addressed in epan/dissectors/packet-bgp.c by validating Path Attribute lengths.
CVE-2018-14343
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ASN.1 BER dissector could crash. This was addressed in epan/dissectors/packet-ber.c by ensuring that length values do not exceed the maximum signed integer.