Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Mac Malware Creator Indicted in U.S.

“FruitFly” Mac Malware Creator Allegedly Spied On Victims for 13 Years

“FruitFly” Mac Malware Creator Allegedly Spied On Victims for 13 Years

An Ohio man was charged this week in a 16-count indictment for allegedly developing malware known as “FruitFly” and for infecting thousands of computers with it.

The man, Phillip R. Durachinsky, 28, of North Royalton, Ohio, has been charged with using the malware for more than 13 years to watch, listen to, and obtain personal data from unknowing victims, as well as to produce child pornography.

FruitFly, also known as Quimitchin, was first discovered a year ago, despite being said to have been developed over a decade ago. The malware was supposedly designed to exfiltrate data from anything it can access and its presence on machines at biomedical facilities led researchers to believe it was a cyber-espionage tool. What isn’t yet clear is how the malware was distributed to the compromised systems.

At Virus Bulletin last year, security researcher Patrick Wardle presented a paper on a second variant of FruitFly, explaining that the threat is installed persistently on the victims’ machines, that it employs obfuscation, and that it includes support for a large number of commands. By setting up a custom command and control (C&C) server for the threat, he was also able to observe and analyze the malware’s behavior.

The malware, Wardle revealed, included support for around 25 commands, and supports advanced commands rarely seen in macOS malware, such as the ability to simulate mouse and keyboard events, likely in an attempt to interact with system dialogs or alerts from security products.

Although designed to target Macs, FruitFly was found to contain Linux shell commands and to run just fine on Linux, which suggested that a variant targeting this operating system might have been built as well. Windows-based executable files that communicated with the malware’s C&C were also discovered, and one of them was found to use a libjpeg library that hasn’t been updated since 1998, but which FruitFly also uses.

According to the indictment the Department of Justice made public this week, Durachinsky from 2003 through Jan. 20, 2017, allegedly orchestrated a scheme to access “thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy.”

Advertisement. Scroll to continue reading.

Using the FruitFly malware, he allegedly controlled infected computers “by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” DoJ said.

The indictment also alleges that Durachinsky used the malware to steal victims’ personal information, including logon credentials, tax records, medical records, photographs, banking records, Internet searches, and communications. He is also charged with using the stolen credentials to access and download information from third-party websites.

Moreover, Durachinsky is said to have used the compromised systems to watch and listen to victims without their knowledge or permission and to intercept oral communications taking place in the room where the infected computer was located. Durachinsky was apparently alerted if a user typed words associated with pornography and is said to have saved millions of images and to have kept detailed notes of what he saw.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division said.

Related: New “Quimitchin” Mac Malware Emerges Targeting Scientific Research

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.