Malware

Snake Malware Ported from Windows to Mac

Posted on May 10th, 2017 by

Snake Malware

Fox IT discovered a macOS version of "Snake" malware, a nearly decade old Windows malware, also known as Turla, Uroburos and Agent.BTZ, and said to be a complex framework used for targeted attacks. Ported from Windows to Mac, Snake malware is a trojan horse presented as a Flash Player update installer; if installed, Snake opens a backdoor on the infected Mac.

Intego VirusBarrier identifies and eradicates this trojan horse malware as OSX/Snake.

The Windows malware variant includes the ability to detect analysis tools like wireshark and tcpdump, and it will not run if processes are active. On the Mac, this detection evasion system is not present.

Trojans are used by malware authors so as to create a backdoor on an infected system, typically to exfiltrate data from the infected machine. With Snake for macOS, we can assume data is copied from the system, but whether this means files with a certain extension, screenshots, microphone or camera data is unclear at this time.

What is the infection vector?

Infection vector is currently unknown, however, phishing and spear phishing attacks are the most likely distribution methods. Snake's Windows counterpart have been found in government institutions, military and large corporations, in the past. These are very specific targets, so running into this on a random website is unlikely at this time. That said, the macOS version of Snake is believed to be so new that it may not have been actively used yet. The author may continue focus on the same high profile targets or could just let loose on the Web, making BitTorrent sites a likely candidate as fake Flash Player pop-ups are the norm there.

At the time the installer was signed with a valid Developer ID, under the name Addy Symonds. This ID has since been revoked by Apple.

How and where does Snake install?

The malware ends up on a system in the form of a zip file, named "Install Adobe Flash Player.app.zip." When opened, a Flash Player installer application will appear. Upon opening the application, the user will be immediately presented with the request for an administrator password.

Once the password is provided, the installation will begin and the process will look similar to the real thing.

This is because, in part, it is the real thing. Flash Player is actually installed on the system, but not before the following files are dropped on the now infected Mac:

/Library/Scripts/queue
/Library/Scripts/installdp
/Library/Scripts/installd.sh
/Library/LaunchDaemons/com.adobe.update.plist

The process "installdp" provides the backdoor to those on the other end of the Command & Control (C&C) server. Flash Player itself does not appear to be tampered with, but the usual vulnerabilities can be expected of it.

Several invisible files are installed as well, detailed below.

Should Mac users be concerned about Snake?

B aware of the way in which Snake infects a system. It uses a real looking installer and is carefully crafted code. We recently saw SilverInstaller utilizing the Mac malware and also employed new techniques. For years, Intego has speculated Mac malware would steadily evolve and become more sophisticated. And now with malware authors having porting tried and true, sophisticated Windows malware over to the Mac, we believe this evolution process is sped up significantly.

macOS is currently able to thwart malware in ways that do not allow it to reach their full potential, but malware authors will likely find ways to deal with this. Snake runs on OS X 10.10 Yosemite, 10.11 El Capitan and macOS 10.12 Sierra.

How to tell if your Mac is infected (and removal instructions)

As mentioned previously, these files are placed on the system during installation:

/Library/Scripts/queue
/Library/Scripts/installdp
/Library/Scripts/installd.sh
/Library/LaunchDaemons/com.adobe.update.plist

If these files are present, delete them and restart your Mac.

The following files are also placed:

/var/tmp/.ur-*
/tmp/.gdm-socket
/tmp/.gdm-selinux

The .gdm- files are sockets and facilitate the communication between different processes. To gain access to the /var and /tmp folders, you'll have to make them visible first as macOS hides them by default. Making invisible folders visible has the added advantage of being able to see the socket files as well, because those too are hidden with the period preceding their name.

In macOS Sierra this can quickly be done with the following key combination:

Command-Shift-. (period)

For older OS X versions this can be done by typing the following commands in the Terminal app:

$ defaults write com.apple.Finder AppleShowAllFiles true
$ killall Finder

If present, delete the files and restart your Mac. When done, enter the same commands but change "true" to "false."

For Intego VirusBarrier customers with up-to-date virus definitions, the antivirus software will detect and remove all Snake files, identified as OSX/Snake.A.

How to protect yourself from Snake

Anything involving Flash Player should throw up a big red flag these days. There are just too many fake Flash Player installers out there, and these trojan horse scams may trick you into installing malware.

Be vigilant when opening email attachments or with clicking on any pop-ups asking you to install something, which you may see while browsing the Web. If it is software you happen to be interested in, get it straight from the source instead of from that third-party popup window.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →