It uses antiquated code, possibly to decrease chances of detection.
A rare strain of malware known as “Fruitfly” appears to have been lurking in the dusty corners of macOS for years, taking advantage of vulnerabilities in code that hasn’t been updated since the late 1990s, according to a report this week from antivirus software maker Malwarebytes.
The malware consists of just two files designed to open a backdoor into the Macs it infects, letting it receive instructions from the hacker’s computer, known in the cybersecurity world as a command and control server (C&C).
The Fruitfly script, according to a Malwarebytes blog post, points to a C&C server with a difficult-to-track dynamic IP address. It appears to offer the server some basic remote control access to the infected system, including screen captures, recording the position of the mouse cursor, and simulating mouse clicks and key presses.
It can also send a map of all other devices on the local network to which the affected computer is connected, including their IPv4 and IPv6 addresses and network names.
Although snippets of the code suggest it was created decades ago and updated several times to work with newer versions of the Mac operating system, including OS X Yosemite, Malwarebytes cautioned that the code’s age may simply be evidence of unskilled hackers.
Fruitfly’s intended targets appear to be biomedical research institutions, according to Malwarebytes, although it did not offer details of specific hacks.
“The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” Malwarebytes Director of Mac Offerings Thomas Reed wrote in the blog post.
Security researchers typically share their malware findings with software makers before they publicly disclose them, and in this case Malwarebytes said Apple released a background update to close the loopholes Fruitfly exploits.