Researchers have discovered a version of the infamous Snake cyber espionage tool used by Russian-speaking attackers that is designed to infect Macs.
Snake, also known as Turla, is a sophisticated piece of malware that’s been used for several years by an APT group linked to Russia. The attackers have targeted government agencies and other victims in dozens of countries, including the United States, and the malware has a wide variety of capabilities. Until now, experts had only seen Snake infecting Windows machines, but now researchers at Fox-IT have come across a version that’s designed to infect OS X machines. The researchers say that the malware probably isn’t being used in active attacks yet.
“As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational. Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets,” the Fox-IT researchers said.
Snake usually is distributed through spearphishing emails with infected attachments that are designed to look like legitimate apps. In the OS X version, the malware is contained in a ZIP archive that is disguised as the Adobe Flash Player. If a user opens the attachment, the Snake malware will install itself on the machine and it uses a valid certificate in order to bypass Apple’s security restrictions on unsigned apps.
“In order for an Application to be run on OS X it has to be signed with a valid certificate issued by Apple or it would be blocked by GateKeeper (unless configured otherwise),” the researchers said.
The certificate used by Snake belongs to an actual developer, and the researchers say it likely was stolen by the attackers behind the malware. The OS X version of Snake hasn’t been seen in active attacks yet, and the Fox-IT researchers say the sample they’ve seen is probably an intermediate build.
“Snake binaries contain strings that can be obtained through snake_name_get() call. These strings are stored as a pair of 0x40 byte blobs that are XOR-ed against each other. In this binary the blobs only contain placeholders that are yet to be replaced by the actual values, which is another indication that this Snake binary is not yet ready to deploy to targets,” they said.
Image: I for Detail, CC by license.