Two malware targeting Mac-run machines recently surfaced in the wild: Snake (a.k.a. Turla, Uroburos, and Agent.BTZ, and detected by Trend Micro as OSX_TURLA.A) and Proton (OSX_PROTON.A). Both are remote access Trojans that can grant attackers unauthorized remote access to the system, consequently enabling them to steal files, data, and credentials stored in the affected system, view the computer’s screen in real time, and log key strokes.
Snake originally targeted Windows OS-based systems as early as 2008, and was used for cyberespionage. In 2014, its operators created a version that worked on Linux machines. Snake slithered its way into its targets by exploiting an array of vulnerabilities. Its rootkit capabilities allowed it to maintain persistence in the infected system by hiding its malicious processes and files from the user, which in turn made detection challenging.
This time, they’ve ported the Windows version of the backdoor for Mac OS X systems, using a poisoned, zipped Adobe Flash Player installer as a lure. This iteration of Snake uses a valid—most likely stolen—Apple developer certificate to bypass Gatekeeper’s (a security feature of Mac OS X systems) code signing restriction and permit it to be executed in the system. The debug functions observed in Snake indicate that it’s still in development and is expected to be fully operational soon.
The Proton backdoor made the rounds after its operators compromised the mirror/alternate download server of HandBrake, a popular, open-source video transcoding application, to deliver the malware. In a security advisory released by HandBrake’s developers in their forums, the compromise occurred between May 2nd (14:30 UTC) and May 6th (11:00 UTC). Attackers replaced the legitimate HandBrake app with their own malicious file, one that didn’t match the SHA1 or SHA256 hashes in their website or Github repository.
Like Snake, Proton uses a signed Apple certificate to run in the infected system, allowing it to steal credentials such as those stored in password-storing utilities like Apple’s own KeyChain and other browser-based services.
These threats dispel the notion that Mac-based systems are bulletproof from malware. As Apple-based devices continue to gain traction in market share, so will threats that target them. For instance, Trend Micro observed over 221,000 detections of Mac-based threats in December 2016 alone—a significant surge from November 2016, which were only at 81,000.
In fact, Trend Micro has observed a steady increase of malware that target Apple users—from black hat search engine optimization attacks, exploits that leverage security flaws in Mac, potentially unwanted applications like adware that can bypass privacy protection, and phishing, to rootkits and even ransomware such as KeRanger (OSX_KERANGER).
Indeed, attacks on Apple devices and software are no longer considered “unprecedented”. Apple is projected to outpace Microsoft in terms of vulnerability discoveries. The ever-increasing synergy between various Apple devices and software will only motivate cybercriminals into targeting these platforms more.