FruitFly

FruitFly is designed to spy on mac users [1].

ID: S0277
Type: MALWARE
Platforms: macOS
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1543 .001 Create or Modify System Process: Launch Agent

FruitFly persists via a Launch Agent.[1]

Enterprise T1083 File and Directory Discovery

FruitFly looks for specific files and file types.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

FruitFly saves itself with a leading "." to make it a hidden file.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

FruitFly will delete files on the system.[1]

Enterprise T1027 Obfuscated Files or Information

FruitFly executes and stores obfuscated Perl scripts.[1]

Enterprise T1057 Process Discovery

FruitFly has the ability to list processes on the system.[1]

Enterprise T1113 Screen Capture

FruitFly takes screenshots of the user's desktop.[1]

References