Protect-Your-PC-From-Viruses

More »

Synchronized Security

Next-gen security with real-time intelligence sharing between your endpoints and firewall. More »

 

Category Archives: antivirus

Kaspersky Opens Antivirus Source Code for Independent Review to Rebuild Trust

Russia-based Antivirus firm hits back with what it calls a “comprehensive transparency initiative,” to allow independent third-party review of its source code and internal processes to win back the trust of customers and infosec community.
Kaspersky launches this initiative days after it was accused of helping, knowingly or unknowingly, Russian government hackers to steal classified material from a computer belonging to an NSA contractor.
Earlier this month another story published by the New York Times claimed that Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian hackers red-handed hacking US government with the help of Kaspersky.

US officials have long been suspicious that Kaspersky antivirus firm may have ties to Russian intelligence agencies.
Back in July, the company offered to turn over the source code for the U.S. government to audit.

However, the offer did not stop U.S. Department of Homeland Security (DHS) from banning and removing Kaspersky software from all of the government computers.

In a blog post today the company published a four-point plan:

  • Kaspersky will submit its source code for independent review by internationally recognised authorities, starting in Q1 2018.
  • Kaspersky also announced an independent review of its business practices to assure the integrity of its solutions and internal processes.
  • Kaspersky will establish three transparency centres in next three years, “enabling clients, government bodies & concerned organisations to review source code, update code and threat detection rules.”
  • Kaspersky will pay up to $100,000 in bug bounty rewards for finding and reporting vulnerabilities in its products.

“With these actions, we will be able to overcome mistrust and support our commitment to protecting people in any country on our planet.” Kaspersky’s CEO Eugene said.

However, infosec experts’ twitter commentary shows that the damage has already been done.

“Code review is absolutely meaningless. All Russian intelligence need is an access to KSN, Kaspersky’s data lake which is a treasure trove of data. Even open sourcing the entire product won’t reveal or even help with revealing that.” Amit Serper, the security researcher at Cybereason, tweeted.

Now it is important to see whether these actions will be enough to restore the confidence of US government agencies in Kaspersky or the company will be forced to move its base out of Russia.

Unpatched Microsoft Word DDE Exploit Being Used In Widespread Malware Attacks

A newly discovered unpatched attacking method that exploits a built-in feature of Microsoft Office is currently being used in various widespread malware attack campaigns.

Last week we reported how hackers could leveraging an old Microsoft Office feature called Dynamic Data Exchange (DDE), to perform malicious code execution on the targeted device without requiring Macros enabled or memory corruption.
DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data.
The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.
The DDE exploitation technique displays no “security” warnings to victims, except asking them if they want to execute the application specified in the command—although this popup alert could also be eliminated “with proper syntax modification.”

Soon after the details of DDE attack technique went public, Cisco’s Talos threat research group published a report about an attack campaign actively exploiting this attack technique in the wild to target several organisations with a fileless remote access trojan (RAT) called DNSMessenger.Now, hackers have been found using the Necurs Botnet—malware that currently controls over 6 million infected computers worldwide and sends millions of emails—to distribute Locky ransomware and TrickBot banking trojan using Word documents that leverage the newly discovered DDE attack technique, reportedSANS ISC.
Locky ransomware hackers previously relied on macros-based booby-trapped MS Office documents, but now they have updated the Nercus Botnet to deliver malware via the DDE exploit and gain an ability to take screenshots of the desktops of victims.

“What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims,” Symantec said in a blog post.

“It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.”

Hancitor Malware Using DDE Attack

Another separate malware spam campaign discovered by security researchers has also been found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit.Hancitor is a downloader that installs malicious payloads like Banking Trojans, data theft malware and Ransomware on infected machines and is usually delivered as a macro-enabled MS Office document in phishing emails.

How to Protect Yourself From Word DDE Attacks?

Since DDE is a Microsoft’s legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields, neither the tech company has any plans of issuing a patch that would remove its functionality.
So, you can protect yourself and your organisation from such attacks by disabling the “update automatic links at open” option in the MS Office programs.
To do so, Open Word → Select File → Options → Advanced and scroll down to General and then uncheck “Update Automatic links at Open.”
However, the best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

Dangerous Malware Allows Anyone to Empty ATMs—And It’s On Sale!

Hacking ATM is now easier than ever before.
Usually, hackers exploit hardware and software vulnerabilities to hack ATMs and force them to spit out cash, but now anyone can simply buy a malware to steal millions in cash from ATMs.
Hackers are selling ready-made ATM malware on an underground hacking forum that anybody can simply buy for around $5000, researchers at Kaspersky Lab discovered after spotting a forum post advertising the malware, dubbed Cutlet Maker.
The forum post provides a brief description and a detailed manual for the malware toolkit designed to target various ATMs models with the help of a vendor API, without interacting with ATM users and their data.
Therefore, this malware does not affect bank customers directly; instead, it is intended to trick the bank ATMs from a specific vendor to release cash without authorisation.The manual also mentions an infamous piece of ATM malware, dubbed Tyupkin, which was first analysed in 2014 by Kaspersky Lab and used by an international cybercrime gang to conduct Jackpotting attack and make Millions by infecting ATMs across Europe and beyond.

The list of crimeware contains in the toolkit includes:

  • Cutlet Maker—ATM malware which is the primary element of the toolkit
  • Stimulator—an application to gather cash cassette statuses of a targeted ATM
  • c0decalc—a simple terminal-based application to generate a password for the malware.

According to Kaspersky researchers, the functionality of the Cutlet Maker malware suggests that two people are supposed to be involved in the ATM money theft—the roles are called “drop” and “drop master.”

“Access to the dispense mechanism of CUTLET MAKER is password protected. Though there could be just one person with the c0decalc application needed to generate a password,” the researchers say.

“Either network or physical access to an ATM is required to enter the code in the application text area and also to interact with the user interface.”

In order to operate, the application needs a special library, which is part of a proprietary ATM API and controls the cash dispenser unit—this shows how cyber “criminals are using legitimate proprietary libraries and a small piece of code to dispense money from an ATM.”

The price of this ATM malware toolkit was $5000 at the time of Kaspersky’s research.

The advertisement of this Cutlet Maker ATM malware was initially published on the AlphaBay Darknet marketplace, which was recently taken down by the FBI.

New Ransomware Not Just Encrypts Your Android But Also Changes PIN Lock

DoubleLocker—as the name suggests, it locks device twice.

Security researchers from Slovakia-based security software maker ESET have discovered a new Android ransomware that not just encrypts users’ data, but also locks them out of their devices by changing lock screen PIN.

On top of that:

DoubleLocker is the first-ever ransomware to misuse Android accessibility—a feature that provides users alternative ways to interact with their smartphone devices, and mainly misused by Android banking Trojans to steal banking credentials.

“Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers,” said Lukáš Štefanko, the malware researcher at ESET.

“Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom.”

Researchers believe DoubleLocker ransomware could be upgraded in future to steal banking credentials as well, other than just extorting money as ransom.Once installed, the malware requests user for the activation of ‘Google Play Services’ accessibility feature, as shown in the demonstration video.
After obtaining this accessibility permission, the malware abuses it to gain device’s administrator rights and sets itself as a default home application (the launcher)—all without the user’s knowledge.

“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence,” explains Štefanko.

“Whenever the user clicks on the home button, the ransomware gets activated, and the device gets locked again. Thanks to using the accessibility service, the user does not know that they launch malware by hitting Home.”

Once executed, DoubleLocker first changes the device PIN to a random value that neither attacker knows nor stored anywhere and meanwhile the malware encrypts all the files using AES encryption algorithm.
DoubleLocker ransomware demands 0.0130 BTC (approximately USD 74.38 at time of writing) and threatens victims to pay the ransom within 24 hours.If the ransom is paid, the attacker provides the decryption key to unlock the files and remotely resets the PIN to unlock the victim’s device.

How to Protect Yourself From DoubleLocker Ransomware

According to the researchers, so far there is no way to unlock encrypted files, though, for non-rooted devices, users can factory-reset their phone to unlock the phone and get rid of the DoubleLocker ransomware.
However, for rooted Android devices with debugging mode enabled, victims can use Android Debug Bridge (ADB) tool to reset PIN without formatting their phones.
The best way to protect yourself from avoiding falling victims to such ransomware attacks is to always download apps from trusted sources, like Google play Store, and stick to verified developers.
Also, never click on links provided in SMS or emails. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
Moreover, most importantly, keep a good antivirus app on your smartphone that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.

U.S Believes Russian Spies Used Kaspersky Antivirus to Steal NSA Secrets

Do you know—United States Government has banned federal agencies from using Kaspersky antivirus software over spying fear?
Though there’s no solid evidence yet available, an article published by WSJ claims that the Russian state-sponsored hackers stole highly classified NSA documents from a contractor in 2015 with the help of a security program made by Russia-based security firm Kaspersky Lab.
Currently, there is no way to independently confirm if the claims on the popular security vendor published by the Wall Street Journal is accurate—and the story does not even prove the involvement of Kaspersky.

“As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight,” Kaspersky said in a statement.

The NSA contractor working with the American intelligence agency, whose identity has not yet been disclosed, reportedly downloaded a cache of highly classified information from government systems and moved it to a personal computer at home, which is clear violation of known security procedures.Citing some anonymous sources, the Journal says that the targeted computer was running Kaspersky antivirus—the same app the U.S. Department of Homeland Security (DHS) recently banned from all government computer systems over spying fear.
The classified documents taken to home by the contractor contained details about how the NSA breaks into foreign computer networks for cyber espionage operations as well as defends its systems against cyber attacks.
Although what role Kaspersky played in the breach is not entirely clear, US officials believe antivirus scan performed by Kaspersky Lab’s security software on the contractor’s computer helped Russian hackers in identifying the files containing sensitive information.
In response to the WSJ story, Kaspersky CEO Eugene Kaspersky said his company “has not been provided with any evidence substantiating the company’s involvement in the alleged incident. The only conclusion sees to be that Kaspersky Lab is caught in the middle of a geopolitical fight.”
Also, it is not clear exactly how the files were stolen, but it has been speculated that the antivirus’ practice of uploading suspicious files (malware executables) on the company’s server, located in Russia, may have granted the Russian government access to the data.

Another possibility is that Russian hackers stole the confidential data by exploiting vulnerabilities in Kaspersky Lab software installed on the targeted system, according to the person, who asked not to be identified.

“Now, if we assume that what is reported is true: that Russian hackers exploited a weakness in our products installed on the PC of one of our users, and the government agencies charged with protecting national security knew about that, why didn’t they report it to us?” Kaspersky said.

“We patch the most severe bugs in a matter of hours; so why not make the world a bit more secure by reporting the vulnerability to us? I cannot imagine an ethical justification for not doing so.”

This breach of NSA classified files, which is being called “one of the most significant security breaches in recent years,” was occurred in 2015, but detected in 2016.
However, it is not clear whether this security incident has any ties to the Shadow Brokers campaign, an ongoing public leak of NSA hacking tools that many officials and experts have linked to the Russian government.
It is another embarrassing breach for the NSA, which has long struggled with contractor security—starting from Edward Snowden to Harold Thomas Martin and Reality Winner.

CCleaner Malware Infects Big Tech Companies With Second Backdoor

The group of unknown hackers who hijacked CCleaner’s download server to distribute a malicious version of the popular system optimization software targeted at least 20 major international technology companies with a second-stage payload.
Earlier this week, when the CCleaner hack was reported, researchers assured users that there’s no second stage malware used in the massive attack and affected users can simply update their version in order to get rid of the malicious software.However, during the analysis of the hackers’ command-and-control (C2) server to which the malicious CCleaner versions connected, security researchers from Cisco’s Talos Group found evidence of a second payload (GeeSetup_x86.dll, a lightweight backdoor module) that was delivered to a specific list of computers based on local domain names.

Affected Technology Firms

According to a predefined list mentioned in the configuration of the C2 server, the attack was designed to find computers inside the networks of the major technology firms and deliver the secondary payload. The target companies included:

  • Google
  • Microsoft
  • Cisco
  • Intel
  • Samsung
  • Sony
  • HTC
  • Linksys
  • D-Link
  • Akamai
  • VMware

In the database, researchers found a list of nearly 700,000 backdoored machines infected with the malicious version of CCleaner, i.e. the first-stage payload, and a list of at least 20 machines that were infected with the secondary payload to get a deeper foothold on those systems.The CCleaner hackers specifically chose these 20 machines based upon their Domain name, IP address, and Hostname. The researchers believe the secondary malware was likely intended for industrial espionage.

CCleaner Malware Links to Chinese Hacking Group

According to the researchers from Kaspersky, the CCleaner malware shares some code with the hacking tools used by a sophisticated Chinese hacking group called Axiom, also known as APT17, Group 72, DeputyDog, Tailgater Team, Hidden Lynx or AuroraPanda.

“The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT ‘umbrella’,” tweeted director of Global Research and Analysis Team at Kaspersky Lab.Cisco researchers also note that one configuration file on the attacker’s server was set for China’s time zone, which suggests China could be the source of the CCleaner attack. However, this evidence alone is not enough for attribution.
Cisco Talos researchers also said that they have already notified the affected tech companies about a possible breach.

Removing Malicious CCleaner Version would Not Help

Just removing the Avast’s software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers’ still-active C2 server.
So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program.

“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” the researchers say.

For those who are unaware, the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware, and affected users should update the software to version 5.34 or higher.

 

 

BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking

If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side.
Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT) devices—using the short-range wireless communication technology.
Using these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed BlueBorne, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.All an attacker need is for the victim’s device to have Bluetooth turned on and obviously, in close proximity to the attacker’s device. Moreover, successful exploitation doesn’t even require vulnerable devices to be paired with the attacker’s device.

BlueBorne: Wormable Bluetooth Attack

What’s more worrisome is that the BlueBorne attack could spread like the wormable WannaCry ransomware that emerged earlier this year and wrecked havoc by disrupting large companies and organisations worldwide.
Ben Seri, head of research team at Armis Labs, claims that during an experiment in the lab, his team was able to create a botnet network and install ransomware using the BlueBorne attack.However, Seri believes that it is difficult for even a skilled attacker to create a universal wormable exploit that could find Bluetooth-enabled devices, target all platform together and spread automatically from one infected device to others.

“Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet,” Armis said.
“The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure “air-gapped” networks which are disconnected from any other network, including the internet.”

Apply Security Patches to Prevent Bluetooth Hacking

The security firm responsibly disclosed the vulnerabilities to all the major affected companies a few months ago—including Google, Apple and Microsoft, Samsung and Linux Foundation.

These vulnerabilities include:

  • Information Leak Vulnerability in Android (CVE-2017-0785)
  • Remote Code Execution Vulnerability (CVE-2017-0781) in Android’s Bluetooth Network Encapsulation Protocol (BNEP) service
  • Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP’s Personal Area Networking (PAN) profile
  • The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783)
  • Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)
  • Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)
  • The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628)
  • Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)

Google has already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe.

Millions of Devices Still Waiting for Security Patches

What’s worst? All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack.
Also, all Windows computers since Windows Vista are vulnerable.

“Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.” – a Microsoft spokesperson said.

Moreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs.
Android users need to wait for security patches for their devices, as it depends on your device manufacturers.
In the meantime, they can install “BlueBorne Vulnerability Scanner” app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.

European Companies Must Tell Employees If Their Work Emails Are Being Monitored

Finally, European companies must inform employees in advance if their work email accounts are being monitored.
The European Court of Human Rights (ECHR) on Tuesday gave a landmark judgement concerning privacy in the workplace by overturning an earlier ruling that gave employers the right to spy on workplace communications.
The new ruling came in judging the case of Romanian engineer Bogdan Barbulescu, who was fired ten years ago for sending messages to his fianceé and brother using his workplace Yahoo Messenger account.Earlier Romanian courts had rejected Barbulescu’s complaint that his employer had violated his right to correspondence—including in January last year when it was ruled that it was not “unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.
But now, the European court ruled by an 11-6 majority that Romanian judges failed to protect Barbulescu’s right to private life and correspondence, as set out in article 8 of the European Convention on Human Rights.
Apparently, Barbulescu’s employer had infringed his right to privacy by not informing him in advance that the company was monitoring his account and communications. His employer used surveillance software in order to monitor his computer activities.
The right to respect for private life and for the privacy of correspondence continued to exist, even if these might be restricted in so far as necessary,” the court writes in a press release about the decision.

The Court considered, following international and European standards, that to qualify as prior notice, the warning from an employer had to be given before the monitoring was initiated, especially where it entailed accessing the contents of employees’ communications.

The ruling will now become law in 47 countries that have ratified the European Convention on Human Rights.
In a Q & A section on its website, the European Court of Human Rights says the judgement doesn’t mean that companies can’t now monitor their employee’s communications at workplace and that they can still dismiss employees for private use.
However, the ECHR says that the employers must inform their staff in advance if their communications are being monitored, and that the monitoring must be carried out for legitimate purposes and limited.

Android Trojan Now Targets Non-Banking Apps that Require Card Payments

The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.
Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.
Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.

Malware Spy On Telephonic Conversations

Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.When calls are made to or received from certain phone numbers on the victim’s device, the malware begins to record those conversations and sends the recordings to the attacker’s server.
Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.

Malware Exploits Overlay Feature to Steal Credit Card Details

In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.
The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.
Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:

  • Android Pay
  • Google Play Store
  • Apps for paying traffic tickets
  • Apps for booking flights and hotel rooms
  • Apps for booking taxis

Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.

Ways to Protect Against Such Android Banking Trojans

The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.
You can also go to Settings → Security and make sure “Unknown sources” option is turned off in order to block installation of apps from unknown sources.
Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.
It’s always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.

Apple Users, Beware! A Nearly-Undetectable Malware Targeting Mac Computers

Yes, even Mac could also get viruses that could silently spy on its users. So, if you own a Mac and think you are immune to malware, you are wrong.
An unusual piece of malware that can remotely take control of webcams, screen, mouse, keyboards, and install additional malicious software has been infecting hundreds of Mac computers for more than five years—and it was detected just a few months back.
Dubbed FruitFly, the Mac malware was initially detected earlier this year by Malwarebytes researcher Thomas Reed, and Apple quickly released security patches to address the dangerous malware.
Now months later, Patrick Wardle, an ex-NSA hacker and now chief security researcher at security firm Synack, discovered around 400 Mac computers infected with the newer strain of the FruitFly malware (FruitFly 2) in the wild.Wardle believes the number of infected Macs with FruitFly 2 would likely be much higher, as he only had access to some servers used to control FruitFly.
Although it is unknown who is behind FruitFly or how the malware gets into Mac computers, the researchers believe the nasty malware has been active for around ten years, as some of its code dates back to as far as 1998.

“FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years,” Wardle wrote in the abstract of his talk, which he is going to present at the Black Hat later this week.Since the initial infection vector for FruitFly is unclear, like most malware, Fruitfly could likely infect Macs either through an infected website delivering the infection or via phishing emails or a booby-trapped application.
FruitFly is surveillance malware that’s capable of executing shell commands, moving and clicking a mouse cursor, capturing webcam, killing processes, grabbing the system’s uptime, retrieving screen captures, and even alerting the hacker when victims are again active on their Mac.

“The only reason I can think of that this malware has not been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” Reed wrote in the January blog post.

“Although there is no evidence at this point linking this malware to a specific group, the fact that it has been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”

Wardle was able to uncover FruitFly victims after registering a backup command and control (C&C) server that was once used by the attacker. He then noticed around 400 Mac users infected with FruitFly started connecting to that server.
From there, the researcher was also able to see IP addresses of FruitFly infected victims, indicating 90 percent of victims were located in the United States.Wardle was even able to see the name of victims’ Macs as well, making it “really easy to pretty accurately say who is getting infected,” he told Forbes.
But rather than taking over those computers or spying on the victims, Wardle contacted law enforcement and handed over what he found to law enforcement agents, who are now investigating the matter.
Wardle believes surveillance was the primary purpose of FruitFly, though it is yet unclear whether it is government or other hacker groups.

“This did not look like cyber crime type behaviour; there were no ads, no keyloggers, or ransomware,” Wardle said. “Its features had looked like they were actions that would support interactivity—it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.”

Since the Fruitfly’s code even includes Linux shell commands, the malware would work just fine on Linux operating system. So, it would not come as a surprise if a Linux variant of Fruitfly was in operation.