The malware is a variant on Fruitfly, discovered back in January and blocked by a macOS update shortly afterwards. Fruitfly used antiquated code that actually predates OS X, and was used in targeted attacks against biomedical research institutions.
Wardle told ArsTechnica that the variant was mostly found in Macs in homes in the USA.
After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.
Based on analysis of the IP addresses connecting to the server, the malware does not appear to be targeting companies, and also does not appear to be designed to make money.
“I don’t know it if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored teenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for perverse reasons.”
Wardle informed law enforcement officials, and the hardcoded domains have been shut down, neutralizing the threat for now. The researcher has passed details to Apple, and will be speaking more about the malware at the Black Hat Security Conference in Las Vegas, where we’ll also hear more details about the serious wifi vulnerability fixed in iOS 10.3.3.
It is likely that owners of infected machines were tricked into clicking on a link that installs the malware. As always, you should only ever install apps from the Mac App Store and trusted developers.
Wardle told ArsTechnica that the variant was mostly found in Macs in homes in the USA.
After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.
Based on analysis of the IP addresses connecting to the server, the malware does not appear to be targeting companies, and also does not appear to be designed to make money.
“I don’t know it if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored teenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for perverse reasons.”
Wardle informed law enforcement officials, and the hardcoded domains have been shut down, neutralizing the threat for now. The researcher has passed details to Apple, and will be speaking more about the malware at the Black Hat Security Conference in Las Vegas, where we’ll also hear more details about the serious wifi vulnerability fixed in iOS 10.3.3.
It is likely that owners of infected machines were tricked into clicking on a link that installs the malware. As always, you should only ever install apps from the Mac App Store and trusted developers.