PSA: Russian-Backed Flash Trojan Ported to macOS

Snake on macOS

A Russian-backed bit of malware called Snake has been ported to macOS, according to security blog Fox-IT (via Malwarebytes Labs). Snake is a trojan disguised to look like a Flash installer, and it’s been around on Windows since 2008 and Linux since 2014.

Snake Trojan on macOS
Snake Trojan on macOS

Snake Trojan on macOS

While malware, Snake is technically a Trojan, so it relies on tricking the user into installing it with their own password. It’s in the wild in a file named Install Adobe Flash Player.app.zip. The Snake Trojan on macOS installer is signed by a (currently) legit developer certificate issued to a “Addy Symonds.”

From Malwarebytes:

It’s not known at this point how Snake is spread, although the fact that it imitates an Adobe Flash Player installer suggests a not-very-sophisticated method. (I mean, come on, there are other pieces of software out there! Why are the bad guys so hung up on Flash installers?)

To Malwarebytes’ point, any user sophisticated enough to look for the name on the certificate isn’t likely to either fall victim to the Trojan or fooled by that name. Everyone else, however, won’t bother looking and could fall for the Trojan.

For funsies, Snake Trojan on macOS does actually install Flash. But, it delivers a payload of malware that will give the Russians control over your Mac. Which is something you probably want to avoid.

You can read up on the details of what Snake does at Malwarebytes. Our advice, though, is to not install Flash. If you MUST install Flash, get it directly from Adobe every single time.

6 thoughts on “PSA: Russian-Backed Flash Trojan Ported to macOS

  • Bryan:

    To the question,

    It’s not known at this point how Snake is spread, although the fact that it imitates an Adobe Flash Player installer suggests a not-very-sophisticated method. (I mean, come on, there are other pieces of software out there! Why are the bad guys so hung up on Flash installers?)

    Perhaps they’re friends of Bosco (Whatever happened to Brad? Those Flash tirades were a thing of wonder), or the bad guys could just have some adolescent superhero preoccupation, being geeks and all.

    More seriously, Flash remains anachronistically prevalent on academic-related, government and NGO websites (and the BBC, but let’s not get started), which requires one to frequently enable it in order to use these sites. Sites that host academic or professional training and accreditation videos, for example, are notorious Flash propagators. I’ve given up deleting Flash from my Mac, but can at least enable it for specific use only.

    When you add that to the lack of software and security sophistication by many users worldwide, Flash becomes a tempting Trojan indeed. I know many a colleague, and not just throughout low and middle income countries, who get their software by convenient referral rather than going to the source.

    Bottom line: this is an easy exploit with potentially high penetration. It’s just not ideally suited to veteran Mac users, who tend to be a wee bit more tech savvy than the average user. The iOS halo effect might be diluting that savvy gene pool, hence the timeliness of the release.

  • For those of us less sophisticated, what is the generally accepted manner to check the “certificate”?

    OT : well said, skywatcher. Some took the “fake news” bait hook, line and sinker.

  • So, it was OK for Obama to give away every military advantage to Putin in the name of “flexibility”, and for Hillary Clinton to give away a large percentage of our uranium reserves to Russia in return for millions of dollars ‘contributed’ to the Clinton Crime Family Foundation? And you probably weren’t concerned at all by the thousands of classified emails leaked through to Americans enemies, including Russia. I bet you weren’t worried at all about Russian influence then. But now, you believe a fake story about Russian influence on Trump and the election –no real evidence whatsoever, mind you; no mechanism present for hacking an election. This is so much like “1984” it’s scary. You socialists amaze me with your arrogance and blindness.

  • OK! I’ll take the obvious bait!

    “For funsies, Snake Trojan on macOS does actually install Flash. But, it delivers a payload of malware that will give the Russians control over your Mac. Which is something you probably want to avoid.”

    You meant, of course:

    “For funsies, Snake-Oil Salesman Trump on Election OS (2016) does actually install FAKE NEWS. But, it delivers a payload of malware that will give the Russians control over your country. Which is something you probably want to avoid.”

    😎

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.