A group of skilled Russian hackers who’ve exclusively targeted specific Windows users appear to be preparing an attack for Mac owners.
Dutch security firm Fox-IT has raised an alarm over a Mac variant of a strain of Windows malware it says is a “complex malware framework for targeted attacks”.
The reference to targeted attacks means most users are likely not in any danger, however the Windows variant suggests Macs used by government institutions, military and large corporates could soon be.
The Windows malware in question was tagged as "Turla" by researchers at Kaspersky, but is also known Uroburos and Agent.BTZ, once used against US military networks.
Its other name is Snake, and according to Fox-IT, an NCC Group company, its code is “significantly more sophisticated” than the malware used by Fancy Bears, the presumed Russian hacker group blamed for recent US political hacks and leaks about Olympic athlete medical records.
“The framework has traditionally focused on the Windows operating system, but in 2014 the first Linux variant was observed. Now, Fox-IT has identified a version of Snake targeting Mac OS X,” the security company notes.
Fox-IT expects that the "attackers using Snake will soon use the Mac OS X variant on targets.”
The hackers responsible for Snake have ported its Windows malware to macOS (OS X) and are using mutated versions of an Adobe Flash Player installer to trick Mac users to install a backdoor on their systems.
Notably, the corrupted installer has been signed with a valid, but likely stolen, Apple ID developer certificate, which would allow it to bypass Apple’s default controls enforced by its Gatekeeper wall. The checks are run unless and until Apple invalidates the certificate, which would cause the certificate to trigger a security notification to users.
The malicious installer was signed on February 21, which Fox-IT takes to mean that the Mac version of Snake isn’t actually in use it. Fox-IT says it has informed Apple of the issue and requested it revoke the certificate.
Mac malware remains rare relative to its Windows counterparts, however attackers do exploit Apple’s reliance on validated digital certificates as a trust mechanism. If software is signed by a valid Apple developer certificate, macOS (OS X) considers it trustworthy and won’t raise a security alarm.
Security firm Check Point last week revealed Mac malware dubbed OSX/Dok, which also was signed with a valid developer certificate. Apple revoked the certificate on Sunday, according to Kaspersky’s Threat Post.
Fox-IT's alert is meant to warn Mac users in targeted sectors to be extra cautious of phishing emails in coming weeks and months.
“Though Snake is typically spread using spear-phishing e-mails and watering hole attacks Fox-IT has not yet observed this sample being spread in the wild,” Fox-IT said.