The launch daemon is quite unremarkable since anyone with Adobe software will have other Adobe launch agents or daemons installed. Few people even know that the /Library/Scripts/ folder exists, so that's a moderately safe place to dump a payload (although there are better options). Consider how bad it would be if someone were to receive this file in a convincing spoofed e-mail, supposedly from their IT department or a close friend, telling them to install it immediately due to a recent Flash vulnerability! As a spear phishing attack, this could be used with devastating effect.įurther, the installed components of the malware are quite effective as well. Trojans can be effective even when they're junk and the social engineering behind them is poor. Although Mac users tend to scoff at Trojans, believing them to be easy to avoid, this is not always the case. Although it's still "just a Trojan," it's a quite convincing one if distributed properly. In all, this is one of the sneakier bits of Mac malware lately. PIDS=`ps cax | grep installdp | grep -o '^**'`Īt this point, once installdp is running, the malware is fully functional, providing a backdoor into the Mac, configured according to the data found in the queue file. The installd.sh script, which is also run by the installed launch daemon, simply checks to see if the malicious installdp process is running and if it isn't, launches it. By the time the Flash installer interface appears, the machine is already infected. Next, the script opens the installd.sh shell script then launches the real Install Adobe Flash Player process, which performs the actual installation of Flash. This script installs the following components of the malware: That process, in turn, executes an included shell script named install.sh:Ĭp -f "$/Install Adobe Flash Player" ![]() When the app runs, a malicious executable named Install - also code-signed by Addy Symonds - runs first. The app has a rather strange internal structure, lacking the normal structure of an application bundle on macOS. It turns out that this is because the app incorporates a real Flash installer. This is a significant break from other fake Flash installers, which at best download the real Flash installer and open it separately after proceeding through a completely unconvincing fake install process. Proceeding through the installation to the end will display no suspicious behavior and in the end, Flash will actually be installed. If such a password is provided, the behavior continues to be consistent with the real thing. If the app is opened, it will immediately ask for an admin user password, which is typical behavior for a real Flash installer. as long as it's signed, Apple's Gatekeeper system will allow it, when set to its default settings. The app is signed, however, by a certificate issued to an "Addy Symonds" rather than Adobe, but the average user is never going to know that. zip file would appear to be a legit Adobe Flash Player installer. The malware was found in a file named Install Adobe Flash. (I mean, come on, there are other pieces of software out there! Why are the bad guys so hung up on Flash installers?) It's not known at this point how Snake is spread, although the fact that it imitates an Adobe Flash Player installer suggests a not-very-sophisticated method. Now, it appears to have been ported to Mac.įox-IT International wrote about the discovery of a Mac version of Snake on Tuesday. It was even seen infecting Linux systems in 2014. It is thought to be Russian governmental malware and on Windows is highly-sophisticated. ![]() Snake, also known as Turla and Uroburos, is backdoor malware that has been around and infecting Windows systems since at least 2008.
0 Comments
Leave a Reply. |