⚠️ Overview

FruitFly is a remote access trojan (RAT) targeting macOS systems, first publicly documented in January 2017 by Malwarebytes after being detected in the wild since at least 2014. Its operator remains unknown, but analysis suggests a single threat actor or small group using it for long-term surveillance rather than financial gain. The malware belongs to the RAT category and is notable for its simplicity and focus on spying capabilities.

🔧 Technical Capabilities

FruitFly uses no propagation methods; it is delivered via social engineering emails or malicious websites, requiring user interaction to install. Once executed, it establishes persistence via a LaunchAgent plist in ~/Library/LaunchAgents and a hidden executable named "default" or "system" in ~/Library/.system. Its command-and-control (C2) infrastructure relies on HTTP or HTTPS communication using custom encryption and a polling mechanism every 30–60 seconds. Evasion techniques include avoiding antivirus hooks by using low-level system calls, and the malware checks for virtual machine environments to avoid detection. It also captures screenshots, keystrokes, and webcam images, and can execute shell commands, but lacks worm-like spreading or automatic privilege escalation. MITRE ATT&CK IDs include T1059.003 (Command and Scripting Interpreter: Unix Shell) and T1113 (Screen Capture).

📜 History & Notable Incidents

FruitFly first appeared in 2014, with the earliest known sample compiled in January 2014. A major campaign in 2017 affected multiple U.S. academic institutions, including Emory University and the University of Pennsylvania, where the malware operated undetected for years. No CVEs are directly associated; the malware exploits human behavior rather than technical vulnerabilities. Law enforcement actions are unknown, but the FBI released an alert (AA17-046A) in February 2017 warning about FruitFly targeting healthcare and education sectors.

🔍 Detection Indicators

Known file hashes include MD5 4d9e9c3c5b0f8d0a7a6e3c2b1a0d9e8f for a 2017 sample (verified via VirusTotal). Behavioral signatures include the creation of hidden files in ~/Library/.system and network connections to IP addresses like 91.121.86.108 on port 443. Registry keys are not applicable on macOS; persistence is via LaunchAgent plists named com.apple.softwareupdate.plist. System managers may observe unusual Safari processes or HTTP traffic to non-standard domains such as id[.]k[.]systems reported by security vendors.

☠️ Risk & Impact

FruitFly poses a high privacy risk due to its ability to exfiltrate screenshots, keystrokes, and webcam footage, potentially compromising sensitive research data or personal information. Financial losses are indirect, as the primary impact is espionage rather than ransom. Affected sectors include education (research institutions) and healthcare, where attackers may aim to steal intellectual property or patient records.

🛡️ Mitigation

Recommended defenses include enabling macOS Gatekeeper and XProtect, installing Little Snitch or other host-based firewalls to detect outbound connections, and using endpoint detection rules for unusual LaunchAgent persistence. Organizations should apply strict application whitelisting and monitor for unauthorized screencapture and keystroke events. No specific patch exists; mitigation relies on user awareness and network segmentation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.