Security Experts:

Connect with us

Hi, what are you looking for?



Turla Cyberspies Developing Mac OS X Malware

The Russia-linked cyberespionage group known as Turla has been working on developing a Mac OS X version of its Snake malware framework, researchers at Fox-IT revealed this week.

The Russia-linked cyberespionage group known as Turla has been working on developing a Mac OS X version of its Snake malware framework, researchers at Fox-IT revealed this week.

Turla is also known as Waterbug, KRYPTON and Venomous Bear. Snake, also tracked as Turla and Uroburos, is one of its primary tools. The group is believed to have been active since at least 2006, but experts recently linked it to one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.

The threat actor initially focused on targeting Windows systems, but in late 2014 Kaspersky Lab reported uncovering a piece of malware designed to work on Linux.

Now, Fox-IT has identified what it believes to be a Mac OS X version of Turla’s Snake malware. According to researchers, the sample they found contained debug functionality and it was signed on February 21, which indicates that it’s still under development.

An analysis of the Mac malware, delivered by the attackers as an Adobe Flash Player installer, showed that it had actually been ported from the Windows version. Its code included references to the “explorer” process, the Internet Explorer web browser and named pipes.

Once deployed, the malware maintains persistence by abusing Apple’s LaunchDaemon service. In order to bypass the GateKeeper security feature, the malware has been signed with a valid developer certificate that was likely stolen by the cyberspies. Fox-IT has notified Apple about the compromised certificate.

Experts noticed that the malware’s developers likely speak Russian, based on the use of the KOI8-R character encoding, which covers the Cyrillic alphabet.

“This indicates that the developers tested with Russian command output (encoded using the KOI8-R codepage). On systems where the command output is displayed in another language (and another codepage), text would be incorrectly represented in Cyrillic characters,” Fox-IT researchers said in a blog post.

The security firm has yet to see any attacks leveraging the OS X version of the Snake malware.

The Turla group is believed to be responsible for attacks on many organizations around the world, and despite having its operations exposed by the cybersecurity community on several occasions, the threat actor has continued to launch attacks and improve its tools.

In recent weeks, researchers reported seeing a new JavaScript malware used to profile victims, and an improved version of the second-stage backdoor tracked as Carbon and Pfinet.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...