## The case of the fly on the wall #### ...and the legal issues of disclosing malware ----- #### % whoami Thomas Reed @thomasareed treed@malwarebytes.com ----- ## OSX.FruitFly #### • ### All-purpose, extremely unique, backdoor #### • ### Perl script, containing "helpers": #### • ### Mach-O binary #### • ### Java class #### • ### Another Perl script ----- ## First-stage Perl #### • ### Communicates with C&C #### • ### Executes commands (with assist from helpers) #### • ### Exfiltrates data ----- ## First-stage Perl ###### for (my$n;; sleep $n) { ##### Loop every 10 seconds ###### $n = 10; ... for (;;) { ##### Read one byte from C&C socket ###### my$s = ord B 1; if ($s == 0) {} ##### If byte (command) is 2... ###### elsif($s == 2) { ... elsif(!system(($m ? 'screencapture -x' : 'xwd -silent -root '. '-display :0.0 | convert xwd:-'). ' /tmp/scrn.png')) { my$v = N('/tmp/scrn.png'); ##### Capture screen to /tmp/scrn.png ###### unlink '/tmp/scrn.png'; if (defined$v) { ##### Read image into memory ###### A "\2".K($v) } ##### Write image to C&C socket ----- ## More details... #### • ### Offensive Malware Analysis: Dissecting OSX/ FruitFly.b via a Custom C&C Server #### • ### https://www.virusbulletin.com/uploads/pdf/ magazine/2017/VB2017-Wardle.pdf ----- ## Discovery of FruitFly ##### Case Western Reserve University (CWRU) ### Jan. 4, 2017 ##### •Notified of infection •100+ more systems found infected FBI contacted ### Jan. 5, 2017 ##### Suspect identified ### Jan. 6, 2017 ##### •Computers compromised for several years •IP address used by malware had been used to access alumni e-mail account •Phillip Roman Durachinsky becomes suspect ----- ##### "I found this hidden .client file at the root of a ### Jan. 10, 2017 ##### user directory on a client that security reported was making peculiar outbound traffic." FruitFly discovery released ### Jan. 18, 2017 ##### •Malwarebytes blog (10 am EST) •MRT update ----- ##### FBI raid! ### Jan. 18, 2017 ##### •Durachinsky's parents (10 pm EST) •Allowed to enter •Told that Durachinsky had been in trouble for hacking in high school •Confiscated laptop that was on and being remotely controlled •Also found numerous hard drives •Timing due to data deletion concerns! # 🤦 ----- ##### Warrant signed to access data ### Jan 19, 2017 ##### •20 million collected files (4:40 am EST) •Thousands of victims •Child pornography Durachinsky arrested ### Jan 25, 2017 ----- ### Mar. 27, 2017 [FBI issues a FLASH with malware details] ##### Mar. 4, 2020 ###### https://reverse.put.as/2020/03/04/a-fruitfly-dropper-and-the-missing-tricks/ ----- ##### Durachinsky indicted on 16 counts ### Jan. 10, 2018 ##### •Damaging Protected Computers •Accessing Protected Computers •Production of Child Pornography •Wire Fraud (x3) •Aggravated Identity Theft (x4) •Accessing Government Computer Without Authorization •Illegal Wiretap (x5) ----- ### Apr. 28, 2019 [Defense files motion to suppress evidence] ##### •Claiming improper seizure •Requesting suppression of: •Evidence obtained from laptop •Confession ### May 13, 2019 [Prosecution responds] ----- ##### Debate continues after multiple hearings ### Today ----- ## What's the takeaway? #### • ### Malware disclosure is important for victims #### • ### Malware disclosure can interfere with legal process #### • ### Be mindful when disclosing #### • ### Consider engaging with law enforcement #### • ### eg, local office, InfraGard (FBI), etc -----