According to InfoWorld, the well-known Russian cyberespionage group, Snake, is preparing a large malware attack against Mac users. This cyberespionage group has been active since 2007 and are said to be porting their Windows backdoor program to work on macOS. The cyberespionage group is also known as Turla or Uroburos and they tend to target governments, military, large corporations, research/academics, and intelligence agencies. According to experts, this group is fairly well organized and far more sophisticated than your average bedroom hacker.
“Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, it’s infrastructure more complex and targets more carefully selected,” researchers from Dutch cybsersecurity firm Fox-IT said in a blog post Wednesday.
While Snake has concentrated on the Windows ecosystem for its attacks, it seems the rise in Mac users has piqued their interest. The group’s malware tools are available if you know where to look, and research firm Fox-IT found evidence that the group is working on a macOS variant.
Now, Fox-IT has identified a version of Snake targeting Mac OS X that was uploaded to VirusTotal on May 2nd, 2017. As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational.
Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets.
For Windows versions the architecture of Snake typically consists of a kernel mode driver designed to hide the presence of several Snake components and to provide low-level access to network communication. Depending on the architecture of a targeted machine either kernel or user mode is used for network communication.
The OS X version of Snake is a port of the Windows version. References to explorer, Internet Explorer and Named Pipes are still present in the binary.
macOS has never been immune to malware, bugs or viruses there just weren’t enough people using the OS for hackers to bother. Apparently, that has changed and hackers are taking notice. While Snake’s primary arena isn’t consumer facing, that doesn’t mean that their method won’t be used against consumers. Hopefully, Apple is taking notice of the current trend and rise in macOS oriented attacks and taking measures to mitigate the threats.