FruitFly, referred to by Apple as “Quimitchin,” is a trojan used to target the Mac OS X operating system. Researchers at Malwarebytes discovered the trojan in cyberespionage attacks targeting biomedical research centers. It captures screenshots and accesses webcams with the goal of exfiltrating all data. The malware code is simplistic, compromising of only two files and uses code from antique system calls dating back to 1998; however, it was still able to go undetected for several years. The attack vector has not been disclosed, but the malware is easy to detect and remove. Apple has already released an automatic update to protect against this threat.

In July 2017, new details emerge from security researchers investigating the malware. Security researcher, Patrick Wardle, studied 400 infections of a new version, FruitFly2. He registered a backup domain and identified multiple victims of the malware, 90 percent of which were located in the United States. The names of the infected devices were also detailed, indicating that most victims appear to be individuals. Wardle believes the malware's purpose is surveillance, rather than financial crime. When Wardle first discovered FruitFly2, no antivirus software detected it. The initial infection vector is still unknown. Wardle has provided law enforcement with his findings and they are currently investigating.

Reporting

• January 2017: New “Quimitchin” Mac malware emerges targeting scientific research. (SecurityWeek)
• July 2017: FruitFly2 discovered, targeting individuals likely for surveillance as opposed to financial crime. Ninety percent of observed victims are located in the Unites States. (Motherboard)

Technical Details

• Malwarebytes provides technical details on the Quimitchin/FruitFly malware, here.