Turla gets ready to target Mac users

The cyber espionage group deploying the Turla (aka Snake, Uroburos, or Agent.BTZ) malware framework is expected to be able to target Mac users soon.

The APT group

The group, which security researchers named after the tool, has been operating for years, and was first spotted targeting computers running the Windows, then later also Linux users.

They have been targeting corporations, intelligence and other government agencies, and are widely believed to be of Russian origin.

“Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, it’s infrastructure more complex and targets more carefully selected,” researchers with Dutch security firm Fox-IT noted.

The Mac variant

The researchers don’t say how they got their hands on it, but say that this particular sample has yet to be spotted in the wild.

“The OS X version of Snake is a port of the Windows version. References to explorer, Internet Explorer and Named Pipes are still present in the binary,” they found.

“For Windows versions the architecture of Snake typically consists of a kernel mode driver designed to hide the presence of several Snake components and to provide low-level access to network communication.”

The malicious binary comes in a ZIP archive that’s made to look like an Adobe Flash Player installer. It is signed with a valid Apple developer certificate that’s likely been stolen.

As Apple has been appraised of this, the certificate will soon be revoked, but there can be no doubt that these well-resourced attackers will simply get another one to sign new samples.

Several strings found throughout the binary indicate that this version is a debug build that’s yet to be deployed against actual targets. For example, some of the strings contain placeholders that are yet to be replaced by the actual values, the researchers explained.