Threat Report: What is FruitFly Malware and How Does it Work?

FruitFly is a malware designed to spy on Mac users. It affects macOS, and it saves itself with a leading "." to make it a hidden file. It will delete files on the system, takes screenshots of the user's desktop, persists via a Launch Agent, and executes and stores obfuscated Perl scripts.

FruitFly Malware Capabilities

FruitFly may attempt to enumerate files and directories on a system, or search for specific information within a file system. The information gathered may be used to shape follow-on behavior, including whether or not the adversary fully infects the target and/or attempts specific actions. FruitFly may also set files and directories to be hidden, and delete files left behind by their intrusion activity, in order to evade detection. Additionally, FruitFly may take screen captures of the desktop and create or modify launch agents for persistence. Finally, FruitFly may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents.

• FruitFly may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. FruitFly may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.FruitFly may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface prompts or with command line switches.
• FruitFly may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
• FruitFly may attempt to take screen captures of the desktop to gather information over the course of an operation. It may also create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Additionally, FruitFly may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Ways to Mitigate FruitFly Malware Attacks Capabilities

• The FruitFly malware attack can be mitigated by monitoring the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute. Additionally, it may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, so monitoring for these command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity.
• The FruitFly malware attack can be mitigated by monitoring for unusual process behavior, correlated with other events, to identify malicious activity. Additionally, the creation of Launch Agents can be monitored, and file obfuscation can be detected.