Even though Microsoft dominates the desktop market, malware authors are starting to pay more and more attention to Mac OS. Apple’s operating system is also prone to vulnerabilities, and attackers have succeeded in exploiting them throughout the past two years. A good example for malicious operations that have moved from Windows to Mac is OSX.Pirrit. Initially adware for Windows, Pirrit was re-adjusted to target Mac computers.
Last year’s Security analysis showed that OSX.Pirrit was far more complicated and capable of malicious activities than its Windows counterpart. It didn’t just flood the victim’s browser with ads but could also obtain root access to their system. Overall, Pirrit for Windows may have been a classical adware program injecting intrusive ads into browsers, but the Mac variant was worse.
Researcher Cracked the First Mac Malware for 2017
Why are we telling you all of this? It appears that a researcher has succeeded in cracking what is most likely the first piece of Mac malware for 2017. The reasons for success? The authors used some very old code. The specific targets also made it easy for him to uncover the attack. The malware in question is called Fruitfly and is essentially a backdoor which “contains functions and system calls that precede OS X – Apple’s major rewrite of its operating system that debuted in 2001,” as explained by security researcher Thomas Reed.
The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers, Reed said.
As mentioned above, Fruitfly is a backdoor designed to take screenshots and gain access to webcams. Luckily, it turns out that it’s easy to remove and is detected instantly. Nonetheless, it’s been circling for at least two years.
The malware has functions and system calls prior to OS X. As pointed out by the researcher, it uses a code library called libjpeg, used for encoding and manipulating JPEG images. Funny enough, the library a used in Fruitfly hasn’t been updated since 1998, which is quite a long time.
The researcher says that there may be a reason hackers are using code this old. It may be because the attackers are not well aware of how Mac machines work. Or it may be because they were trying to avoid triggering behavioral detections that might be expecting newer code.