A version of Snake, a malware framework associated with espionage targeting government agencies and corporations, designed to attack MacOS devices has been discovered by security researchers.
Fox-IT, a Dutch cybersecurity firm, reported Wednesday it had identified a version of the malicious attack designed to target computers running MacOS. The firm reports it expects the malware will be used soon against owners of Apple desktops and laptops.
The framework, also known as Turla, Uroburos and Agent.BTZ, has been used in the past to target high-profile individuals and organizations. Fox-IT noted the framework is very sophisticated, and its targets are often carefully selected.
A report from Kaspersky Lab suggested the framework has been used to hit “several hundred computers in more than 45 countries.” Targets of those attacks included government institutions, embassies, military, colleges and universities, researchers and pharmaceutical companies.
Snake has been used in targeted operations that have been attributed to Russian attackers. The attack traced by Kaspersky Lab found artifacts within the code of the attacks that would suggest the attackers were Russian.
The Snake framework is considered more sophisticated than other noteworthy Russian attacks, including those used by the notorious Russian hacker groups Cozy Bear and Fancy Bear.
Thus far, the attacks exclusively have targeted Windows machines. Fox-IT said the attack is designed to hide the presence of Snake components to maintain low-level access to network communication, allowing the attacker to monitor the victim’s activities discreetly.
The MacOS version of Snake discovered by Fox-IT appears to be a direct port of the Windows version, complete with Windows terminology intact. The code references “explorer” and “Internet Explorer” among other Windows-centric terms.
The attack is disguised in a ZIP file that poses as an Adobe Flash Player installation named “Adobe Flash Player.app.zip.” The installer has been backdoored to allow the malicious files to install on the device.
The Snake framework appears to have obtained a signed developer certificate that allows it to bypass Apple’s GateKeeper software that prevents unauthorized applications from being installed on a machine.
Fox-IT said there are indications within the code of the MacOS version of Snake that signify the attackers are Russian, much like the Windows-targeted version of the malware. The researchers noted temporary files storing command output within the framework contain an encoding that is designed to be compatible with the Russian alphabet.
The Snake attacks are typically spread through phishing operations, with emails sent to targeted individuals in the hope they will click on a malicious link and installing the infected file. For the time being, the attack has not been found in the wild and is believed to not yet be operational, but likely will be used in the future.