The Russia-linked cyberespionage group known as Turla has been working on developing a Mac OS X version of its Snake malware framework, researchers at Fox-IT revealed this week.
Turla is also known as Waterbug, KRYPTON and Venomous Bear. Snake, also tracked as Turla and Uroburos, is one of its primary tools. The group is believed to have been active since at least 2006, but experts recently linked it to one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.
The threat actor initially focused on targeting Windows systems, but in late 2014 Kaspersky Lab reported uncovering a piece of malware designed to work on Linux.
Now, Fox-IT has identified what it believes to be a Mac OS X version of Turla’s Snake malware. According to researchers, the sample they found contained debug functionality and it was signed on February 21, which indicates that it’s still under development.
An analysis of the Mac malware, delivered by the attackers as an Adobe Flash Player installer, showed that it had actually been ported from the Windows version. Its code included references to the “explorer” process, the Internet Explorer web browser and named pipes.
Once deployed, the malware maintains persistence by abusing Apple’s LaunchDaemon service. In order to bypass the GateKeeper security feature, the malware has been signed with a valid developer certificate that was likely stolen by the cyberspies. Fox-IT has notified Apple about the compromised certificate.
Experts noticed that the malware’s developers likely speak Russian, based on the use of the KOI8-R character encoding, which covers the Cyrillic alphabet.
“This indicates that the developers tested with Russian command output (encoded using the KOI8-R codepage). On systems where the command output is displayed in another language (and another codepage), text would be incorrectly represented in Cyrillic characters,” Fox-IT researchers said in a blog post.
The security firm has yet to see any attacks leveraging the OS X version of the Snake malware.
The Turla group is believed to be responsible for attacks on many organizations around the world, and despite having its operations exposed by the cybersecurity community on several occasions, the threat actor has continued to launch attacks and improve its tools.
In recent weeks, researchers reported seeing a new JavaScript malware used to profile victims, and an improved version of the second-stage backdoor tracked as Carbon and Pfinet.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
