Snake

Snake is a known malware on Windows OS since 2008. In 2017 fox-it found a variant of this malware that was ported to macOS.The malware arrived as the file “Install Adobe Flash Player.zip” which is a modify version of Adobe Flash installation. Within the zip file there is a macOs application bundle signed with a legitimate Apple Developer ID (revoked already):

Source: CheckPoint

Once executed the malware will execute its script first prior the real Adobe installation. It will use AppleScript in order to execute its infection script with administrator permissions:

Source: CheckPoint

The infection vector contains two scripts. The first will copy the malware files to target locations “/Library/Scripts/” and create a LaunchDaemon in order to persist on the system.

Source: CheckPoint

The second script “installd.sh” will check if “installdp” process is running, and if not, will execute it.It is unknown what the infection vector is, if any infection was there at all. From the malicious binary file “installdp” it might be implied that this version of the malware is not finished as there are a lot of debug strings:

Source: CheckPoint

Links:

Snake: Coming soon in Mac OS X flavour

Samples:
b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea

Share this: