One of the most sophisticated Russian cyberespionage groups has recently ported its Windows backdoor program to the Mac users.
The group has been active since 2007 and its names familiar to the security experts are Snake, Turla, and Uroburos. According to the researchers, the malware has been responsible for some of the most complex cyberespionage attacks so far. The virus targets military organizations, government entities, embassies, intelligence agencies, large corporations, and research and academic institutions.
“Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, it’s infrastructure more complex and targets more carefully selected,” the Dutch cybsersecurity company Fox-IT said.
Usually, the attacks of Snake Cyberespionage target Windows users and its malware framework was originally created for this platform. In 2014, though, Kaspersky Lab security experts discovered a Linux component linked to the Snake toolkit, suggesting that the cyberespionage group was expanding its activities to other platforms. Currently, it looks like Snake is interested in Mac users.
Not long ago, security researchers from Fox-IT discovered a macOS version of the group’s malware tool which turned out to be a direct port of its Windows version, as it still has artefacts referencing Microsoft’s Internet Explorer in the code.
According to the Fox-IT experts, the macOS malware is still in development or testing stages, and it’s not just being distributed in the wild. Nevertheless, it is a real proof that Snake is now targeting the Apple users, which is not surprising at all, considering the fact that MacBooks are most popular among the high-level class executives.
Fox-IT researchers found the Snake macOS sample was disguised as a Flash Player installer which was signed with a most probably stolen Apple-approved developer certificate. This kind of code-signing certificates are issued by Apple to members of its developer program and are needed for publishing applications in the official Mac App Store.
However, the most important thing in this case is that the applications signed with valid Apple developer certificates don’t prompt any security alerts during the installation process and the macOS Gatekeeper security feature do not block them.
About a week ago, the experts from Check Point Software Technologies discovered a different malware program for macOS which was signed with a stolen Apple certificate.
Fox-IT researchers have alerted Apple’s security team about the Snake macOS version, so they will most probably revoke the certificate. Nevertheless, considering the resources of the cyberespionage group, they will try abusing another certificate in the nearest feature.