{
	"id": "88c67511-cbeb-49a6-a7f3-fc2cc86945f4",
	"created_at": "2026-04-06T00:14:12.960294Z",
	"updated_at": "2026-04-10T13:12:34.832643Z",
	"deleted_at": null,
	"sha1_hash": "98c43a61087eb816cb118a730fd4298f2194ae6c",
	"title": "Snake malware ported from Windows to Mac | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1343645,
	"plain_text": "Snake malware ported from Windows to Mac | Malwarebytes Labs\r\nBy Thomas Reed\r\nPublished: 2017-05-04 · Archived: 2026-04-05 13:28:37 UTC\r\nSnake, also known as Turla and Uroburos, is backdoor malware that has been around and infecting Windows\r\nsystems since at least 2008. It is thought to be Russian governmental malware and on Windows is highly-sophisticated. It was even seen infecting Linux systems in 2014. Now, it appears to have been ported to Mac.\r\nFox-IT International wrote about the discovery of a Mac version of Snake on Tuesday. It’s not known at this point\r\nhow Snake is spread, although the fact that it imitates an Adobe Flash Player installer suggests a not-very-sophisticated method. (I mean, come on, there are other pieces of software out there! Why are the bad guys so\r\nhung up on Flash installers?)\r\nDistribution method\r\nThe malware was found in a file named Install Adobe Flash Player.app.zip. The app inside the .zip file would\r\nappear to be a legit Adobe Flash Player installer. The app is signed, however, by a certificate issued to an “Addy\r\nSymonds” rather than Adobe, but the average user is never going to know that… as long as it’s signed, Apple’s\r\nGatekeeper system will allow it, when set to its default settings.\r\nIf the app is opened, it will immediately ask for an admin user password, which is typical behavior for a real Flash\r\ninstaller. If such a password is provided, the behavior continues to be consistent with the real thing.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/\r\nPage 1 of 4\n\nProceeding through the installation to the end will display no suspicious behavior and in the end, Flash will\r\nactually be installed. This is a significant break from other fake Flash installers, which at best download the real\r\nFlash installer and open it separately after proceeding through a completely unconvincing fake install process.\r\nIt turns out that this is because the app incorporates a real Flash installer. The app has a rather strange internal\r\nstructure, lacking the normal structure of an application bundle on macOS. It works, though.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/\r\nPage 2 of 4\n\nWhen the app runs, a malicious executable named Install – also code-signed by Addy Symonds – runs first. That\r\nprocess, in turn, executes an included shell script named install.sh:\r\n#!/bin/sh SCRIPT_DIR=$(dirname \"$0\") TARGET_PATH=/Library/Scripts TARGET_PATH2=/Library/LaunchDaemons\r\nThis script installs the following components of the malware:\r\n/Library/Scripts/queue /Library/Scripts/installdp /Library/Scripts/installd.sh /Library/LaunchDaemons\r\nNext, the script opens the installd.sh shell script then launches the real Install Adobe Flash Player process, which\r\nperforms the actual installation of Flash. By the time the Flash installer interface appears, the machine is already\r\ninfected.\r\nThe installd.sh script, which is also run by the installed launch daemon, simply checks to see if the malicious\r\ninstalldp process is running and if it isn’t, launches it.\r\n#!/bin/bash SCRIPT_DIR=$(dirname \"$0\") FILE=\"${SCRIPT_DIR}/queue#1\" PIDS=`ps cax | grep installdp | g\r\nAt this point, once installdp is running, the malware is fully functional, providing a backdoor into the Mac,\r\nconfigured according to the data found in the queue file.\r\nImpact\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/\r\nPage 3 of 4\n\nIn all, this is one of the sneakier bits of Mac malware lately. Although it’s still “just a Trojan,” it’s a quite\r\nconvincing one if distributed properly. Although Mac users tend to scoff at Trojans, believing them to be easy to\r\navoid, this is not always the case.\r\nTrojans can be effective even when they’re junk and the social engineering behind them is poor. Consider how bad\r\nit would be if someone were to receive this file in a convincing spoofed e-mail, supposedly from their IT\r\ndepartment or a close friend, telling them to install it immediately due to a recent Flash vulnerability! As a spear\r\nphishing attack, this could be used with devastating effect.\r\nFurther, the installed components of the malware are quite effective as well. Few people even know that the\r\n/Library/Scripts/ folder exists, so that’s a moderately safe place to dump a payload (although there are better\r\noptions). The launch daemon is quite unremarkable since anyone with Adobe software will have other Adobe\r\nlaunch agents or daemons installed. The average person won’t know this one isn’t legitimate.\r\nFortunately, Apple revoked the certificate very quickly, so this particular installer is no further danger unless the\r\nuser is tricked into downloading it via a method that doesn’t mark it with a quarantine flag (such as via most\r\ntorrent apps). Malwarebytes for Mac will detect it as OSX.Snake and removal, in this case, is a breeze.\r\nIf you’re infected, however, as with any backdoor, it’s important to keep in mind that data may have been stolen,\r\nincluding passwords and any unencrypted files on the hard drive. Keep in mind that, even if you use File Vault,\r\nthe files are decrypted as long as you’re logged in, so this doesn’t really count.\r\nAfter removing the malware (and restarting the computer), change your passwords and make sure that you’ve\r\ntaken any other necessary steps to mitigate damage due to the possibility of exfiltrated data. And, as always, if this\r\nis a business machine, contact IT so they know about the issue and can take any necessary measures to mitigate\r\nrisk to the company.\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/"
	],
	"report_names": [
		"snake-malware-ported-windows-mac"
	],
	"threat_actors": [
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434452,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98c43a61087eb816cb118a730fd4298f2194ae6c.pdf",
		"text": "https://archive.orkl.eu/98c43a61087eb816cb118a730fd4298f2194ae6c.txt",
		"img": "https://archive.orkl.eu/98c43a61087eb816cb118a730fd4298f2194ae6c.jpg"
	}
}