Snake Malware Modified; OS X The Next Target

The security researchers at Fox-IT have discovered a modified version of the previously known snake malware. A version specifically designed to target MacOS. Still not sure what snake malware is? Well, it also goes by the name of Turla, Agent.BTZ and Uroburous. Sounds familiar now?

Previous Victims: As per reports, the snake malware was previously targeting only computers running on Windows, but it now the situation has changed. According to Fox-IT experts, the malware is highly sophisticated and was only targeting high-profile targets in the past including Embassies, Government institutions, universities, pharmaceutical companies, colleges, and researchers etc. 

In 2014, the IT security researchers at Kaspersky cited that the malware mounted aggressive cyber espionage operations against Ukraine and a host of other European and American government organizations over nearly a decade. 

How the malware worked when it was discovered by the researchers

Related: New iCloud Phishing Scam steals credit card data, access device’ camera

A bit similar to the Windows version: This version of the malware has quite a lot of things in common with the previous version, and according to the researchers, it even has some Windows-centric terms.

The attack: Like all other malware, Turla also disguises itself as a legit app, tricking the users into installing it.

In the OS X targeting version, the researchers found the snake malware to be hidden in a ZIP file as adobe-flash-player, and once the user opens the attachments, the malware is automatically installed on the victim’s machine. It looks like for now the malware attack can not be blocked by Apple since it seems to have a signed developer certificate- presumably stolen by the hackers.

According to security experts, “for an Application to be run on OS X, it has to be signed with a valid certificate issued by Apple, or it would be blocked by GateKeeper (unless configured otherwise).”

This only goes to show that hackers have somehow managed to steal the developer certificate of a legit developer.

The show about to begin: Security experts believe that the snake malware is still work-in-progress.  Fox-IT researchers believe that: “Snake binaries contain strings that can be obtained through snake_name_get() call. These strings are stored as a pair of 0x40 byte blobs that are XOR-ed against each other. In this binary, the blobs only contain placeholders that are yet to be replaced by the actual values, which is another indication that this Snake binary is not yet ready to deploy to targets.” 

Related: The Nastiest of all Ransomware Mamba Encrypts Entire Hard Drive

Furthermore, the researchers explained that: “As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational. Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets,”

A word of advice: Never pay attention to unwanted emails and DO NOT click any attachment if it’s from an unknown email address!


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan