Spring is obviously the season for the detection of new malware affecting macOS and OS X users. This time, thanks to the work of the folk at Fox-IT Threat Intelligence, it looks like it may have been spotted while still being tested, and before release. It also seems likely that it is intended for use in targetted attacks, ‘spear phishing’, rather than as a more general release.
Snake is a port of a complex and sophisticated malware system which has already been used on Windows systems to steal sensitive information from government, military, and large corporate systems. Its Windows version has been attributed to Russian operatives, and there is evidence to believe that the macOS version is no different in this respect.
Like some other malware and unwanted software, is presents as a Zip archive purporting to be Adobe Flash Player.app.zip, but is supplied from other locations (not from Adobe). This underlines the importance of never touching anything claimed to be a Flash update unless it has been obtained directly from Adobe’s Flash Player site.
This runs the malware installer, which installs a LaunchDaemon and various other payload components. The fake Flash Player installer is signed, and the Fox-IT article gives full details of that signature. Hopefully Apple has already revoked that developer certificate, so that Gatekeeper will now refuse to run the installer.
Among its signature features are the installation of a Launch Daemon in /Library/LaunchDaemons, claiming to be
com.adobe.update.plist. This is quite cunning, as there are often several com.adobe property list files in that folder, but none should have that exact name.
It also installs two files, installd.sh and queue, in /Library/Scripts. This is odd, and suggests that its developers are not as knowledgeable about macOS as they think. /Library/Scripts is, of course, a folder which normally contains AppleScripts, usually tucked away in their own folders. It does not contain shell scripts, and seldom has any files at that level.
At the moment, this is not detected by any anti-virus software, but is blocked effectively by Objective-See’s BlockBlock, which watches for this type of behaviour in potential malware. Commercial anti-virus products are expected to add protection over the coming days, and Apple will undoubtedly be updating security data files shortly too.
All the current information points to this malware being a serious threat to those working in targetted organisations. Other Mac users are very unlikely to come across this, we hope. Further details are on the Fox-IT blog.