Wardle performed his analysis on Fruitfly not by reverse engineering the Mac malware, but rather by creating a custom C&C server to interact with it.
Wardle performed his analysis on Fruitfly not by reverse engineering the Mac malware, but rather by creating a custom C&C server to interact with it.

A security researcher looking into a variant of the Mac spyware Fruitfly uncovered a pool of roughly 400 infected victims, after registering a back-up command-and-control server that was coded in a sample of the malware and taking it over, according to multiple news outlets.

The researcher, Patrick Wardle, chief security researcher at Synack and founder of Objective-See, identified many of these victims as ordinary individuals – most located in the U.S., with a high concentration within Ohio, Threatpost reported. It was a surprising finding, considering that a previous analysis of Fruitfly samples by Malwarebytes found that the spyware appeared to be specifically targeting biomedical research facilities.

According to a Forbes report, Wardle could see victims' IP addresses and the name of their Mac computers, reporting his findings to law enforcement.

ZDNet reported that the Fruitfly variant Wardle observed could control the keyboard and mouse, take screenshots and turn on the webcam, modify files, run commands in the background, and send an alert when the user is active in order to remain stealth.

Wardle will be presenting his findings in detail later this week at the Black Hat security conference in Las Vegas. According to Black Hat's synopsis of his session, Wardle performed his analysis not by reverse engineering Fruitfly, but rather by creating a custom C&C server to "coerce the malware to reveal it's full capabilities." This process essentially allowed Wardle to take over the malware's domain while hijacking its infected hosts.