Snake and Proton Malware Found Targeting Mac Users

Two malware targeting Mac-run machines recently surfaced in the wild: Snake (a.k.a. Turla, Uroburos, and Agent.BTZ, and detected by Trend Micro as OSX_TURLA.A) and Proton (OSX_PROTON.A). Both are remote access Trojans that can grant attackers unauthorized remote access to the system, consequently enabling them to steal files, data, and credentials stored in the affected system, view the computer’s screen in real time, and log key strokes. 

Snake originally targeted Windows OS-based systems as early as 2008, and was used for cyberespionage. In 2014, its operators created a version that worked on Linux machines. Snake slithered its way into its targets by exploiting an array of vulnerabilities. Its rootkit capabilities allowed it to maintain persistence in the infected system by hiding its malicious processes and files from the user, which in turn made detection challenging. 

This time, they’ve ported the Windows version of the backdoor for Mac OS X systems, using a poisoned, zipped Adobe Flash Player installer as a lure. This iteration of Snake uses a valid—most likely stolen—Apple developer certificate to bypass Gatekeeper’s (a security feature of Mac OS X systems) code signing restriction and permit it to be executed in the system. The debug functions observed in Snake indicate that it’s still in development and is expected to be fully operational soon. 

[READ: A look at notable threats that targeted Mac users] 

The Proton backdoor made the rounds after its operators compromised the mirror/alternate download server of HandBrake, a popular, open-source video transcoding application, to deliver the malware. In a security advisory released by HandBrake’s developers in their forums, the compromise occurred between May 2nd (14:30 UTC) and May 6th (11:00 UTC). Attackers replaced the legitimate HandBrake app with their own malicious file, one that didn’t match the SHA1 or SHA256 hashes in their website or Github repository. 

Like Snake, Proton uses a signed Apple certificate to run in the infected system, allowing it to steal credentials such as those stored in password-storing utilities like Apple’s own KeyChain and other browser-based services. 

[From the Security Intelligence Blog: How Unix-like operating systems such as Mac OS can be a game changer in the ransomware landscape] 

These threats dispel the notion that Mac-based systems are bulletproof from malware. As Apple-based devices continue to gain traction in market share, so will threats that target them. For instance, Trend Micro observed over 221,000 detections of Mac-based threats in December 2016 alone—a significant surge from November 2016, which were only at 81,000. 

In fact, Trend Micro has observed a steady increase of malware that target Apple users—from black hat search engine optimization attacks, exploits that leverage security flaws in Mac, potentially unwanted applications like adware that can bypass privacy protection, and phishing, to rootkits and even ransomware such as KeRanger (OSX_KERANGER). 

Indeed, attacks on Apple devices and software are no longer considered “unprecedented”. Apple is projected to outpace Microsoft in terms of vulnerability discoveries. The ever-increasing synergy between various Apple devices and software will only motivate cybercriminals into targeting these platforms more. 

Best Practices

To mitigate Proton, HandBrakes’ developers urges its users to check if their version of the application runs “Activity_agent”, which users can verify with the OSX Activity Monitor app. HandBrake’s notice includes SHA1 and SHA256 hashes that users can do a checksum on to detect if the file contains the Proton backdoor. The advisory also has instructions on how to remove the malware. 

Given how Snake and Proton are designed to steal information that includes passwords, end users are recommended to promptly change credentials to prevent breach and exfiltration attempts. Additionally, users and organizations can employ file and data encryption on the endpoint level in order to thwart attackers from accessing sensitive information. 

End users and enterprises should also practice good security habits: keep software and operating systems updated, enable Gatekeeper, download only from the official Apple store, be wary of apps with revoked or unsigned certificates, and refrain from opening suspicious or unverified files or links in emails, websites, and even your social networking accounts.

Trend Micro Solutions:

End users can also benefit with security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against viruses, ransomware, malicious websites, and identity thieves. It also provides secure storage of passwords and other sensitive information. Trend Micro™ Mobile Security for Apple devices (available on the App Store) can monitor and block phishing attacks and other malicious URLs.

For enterprises, Trend Micro’s Smart Protection Suites with XGen™ security, which support Mac systems, infuse high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.