Skip to content

Offensive Malware Analysis: Dissecting OSX Fruitfly

Talk on YouTube

Background

  • Fruitfly is an OSX backdoor
  • Has webcam functionality, typical of nation states, but targets normal people - probably for blackmail
  • Has been around for 5-10 years
  • Infected mostly US people
  • An obfuscated Perl script!
  • Has 25 commands (but 50 total including subcommands)

Analyzing the malware

Static analysis

  • Tried deobfuscating the Perl script
  • Identified 3 parts: imports, helper functions, and the main function

Dynamic analysis

  • Wireshark for network monitor
  • fs_usage for file monitoring
  • ProcInfo for process monitoring
  • SniffMK for keyboard/mouse monitoring

Some interesting C&C commands

  • take screenshot
  • detect if user is active
  • kill malware process
  • list folders
  • move mouse
  • type with keyboard

Offensive analysis

  • You can specify IP of your C&C server when you run it from command line
  • This means you can write code to simulate the C&C server and find out what data the real C&C server collects
  • All the initial C&C servers were taken down, but the domain names for the backup servers were available, so the speaker registered them
  • Then he wrote and deployed his own C&C server, and a bunch of clients started connecting!