A piece of malware long targeting Windows users —known sometimes as “Snake,” “Turla,” or “Uroboros” —is now reportedly being turned against Mac owners.
The updated code comes disguised as an Adobe Flash Player installer, wrapped inside a ZIP file labeled “Install Adobe Flash Player.app.zip,” Malwarebytes said on Friday. A giveaway to its origins is that when run, the installer is signed by an “Addy Symonds” instead of Adobe —this initially tricked macOS’s Gatekeeper feature, but Apple has already revoked the bad certificate.
If Gatekeeper is set to allow unsigned apps, victims should then be asked to enter their administrator password, as with Adobe’s real Flash installer. The look of the installer also mimics the real software, and in fact a working version of Flash is ready at the end. Similar malware typically runs a completely fake Flash installation, or has to launch the legitimate one second.
People who fall prey open up a backdoor to their system which can expose passwords and unencrypted files, Malwarebytes said.
Infection is unlikely not just because of Gatekeeper, but because the file must be intentionally downloaded and run, for instance when delivered as an email attachment.
Just last week, another piece of malware, known as “Dok,” was also discovered targeting Mac users with a signed certificate. That code was being delivered through an email phishing campaign, and concealed as a fake OS X update.