Windows’ Snake Backdoor Malware Comes to Bite Mac Users


A sophisticated cyberespionage group from Russia has ported a backdoor malware - that has been infecting Windows systems since at least 2008 - to macOS. The group is apparently readying its sophisticated toolkit against Mac users.

macOS malware disguises itself as a real-looking Adobe Flash Installer

The backdoor malware known as Snake, Turla and Uroburos, is believed to be Russian governmental malware and is highly sophisticated. It was also seen infecting Windows and then Linux systems in 2014 and now it appears to be Mac's turn. Snake disguises itself as a legitimate Adobe Flash Player installer and hides into pre-existing macOS folders making it harder to spot. Even with Gatekeeper enabled, the malware was able to run thanks to a valid developer’s certificate.

Macs Are Being Infected with a New Cryptocurrency Mining Malware

Security researchers at the Dutch cybsersecurity firm Fox-IT wrote in a blog post:

"Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, it’s infrastructure more complex and targets more carefully selected."

Whatever the Fox-IT says, at least the Mac version doesn't appear to be as sophisticated with its tactic of trying to get help from Adobe Flash Player, which has been forever used to attract easy targets.

The Snake macOS malware is hidden inside a legit-looking file named "Install Adobe Flash" The certificate is, however, issued to some "Andy Symonds" and not Adobe, but not many average users will ever find that out. Since it's signed - regardless of to whom - Apple’s Gatekeeper will allow it, giving it a free run.

Once run, the app will ask for admin password, which is also what the real Flash installer does, ringing no alarm bells for the user. When the user provides the password, the installer continues to behave like the real thing, actually installing the Flash Player. Okay, here you can give it the credit of being sophisticated because most attackers don't go to such lengths to avoid detection. This zip file contains both the malware and the real Flash installer, helping it to avoid any curious cats from detecting it.

macOS Trojan First Detected in 2016 Continues to Bypass AV Engines

Mitigation and what to do if this macOS malware infects your Mac

Apple acted quickly, revoking the certificate so this particular malware is no longer a danger to the macOS users. Researchers at Malwarebytes wrote that it won't be a problem "unless the user is tricked into downloading it via a method that doesn’t mark it with a quarantine flag (such as via most torrent apps)."

Fox-IT added that the certificate for Snake malware was signed in February this year, which means it may not have been operational yet but could soon be used on its targets. Apple will no longer show the developer certificate as valid. However, if you are worried about having fallen for it already, you can use Malwarebytes for Mac free software and look for "OSX.Snake" to see if you are affected.

Malwarebytes recommended to look for the following if you want to manually check for the Snake macOS malware.

  • /Library/Scripts/queue
  • /Library/Scripts/installdp
  • /Library/Scripts/
  • /Library/LaunchDaemons/com.adobe.update.plist
  • /var/tmp/.ur-*
  • /tmp/.gdm-socket
  • /tmp/.gdm-selinux

If you are infected, do remember that your data may already have been stolen. "Keep in mind that, even if you use File Vault, the files are decrypted as long as you’re logged in, so this doesn’t really count," Malwarebytes warned.

The security firm advised to follow these steps in case you are affected:

  1. Remove the malware.
  2. Restart your computer.
  3. Change your passwords.
  4. And finally, take any steps that data exfiltration may cause you, including a call to your IT department if it was a company system.

While the Snake macOS malware no longer appears to be a sophisticated danger, considering the resources of the cyberespionage group, it won't be surprising if the group manages to find another certificate to abuse. It's recommended that users take caution when downloading apps and look out for any spear phishing emails.