A new piece of backdoor malware originally discovered on Windows has found a new home in macOS. Disguising itself as a legitimate Adobe Flash Player installer, the malware burrows into pre-existing macOS folders making it harder to spot. Having used a valid developer’s certificate, the malware was set to run free on macOS even with Gatekeeper enabled.
These certificates were created to help validate applications with Gatekeeper, but lately have been used to spread malicious software. This is the second reported malware incident in the past week using a valid certificate.
The Snake malware, and the variants it derives from, has been around for nearly a decade now. Malwarebytes reports Snake has been infecting Windows systems as far back as 2008 and even having a Linux variant discovered back in 2014. Fox-ITdescribes it as a “relatively complex malware framework” citing a research paper from the Swiss government’s Computer Emergency Response Team.
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is freeware software for viewing multimedia, executing rich Internet applications, and streaming video and audio, content created on the Adobe Flash platform. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. This is extremely important: if you install Flash Player while Firefox is open, the Flash Player plugin won't be installed to Firefox and you won't be able to use Flash content in your Firefox browser even though the Flash Player is installed. Adobe Flash Player Update for Flash CS3 Professional (9.0.2) Adobe Flash CS3 Professional (9.0.2) delivers support for the latest update of Adobe Flash Player 9. This update includes a new Video Playback component supporting H.264, support for Flash Lite 3 Update for Flash CS3 Professional, and all Debug and Release versions of this new Adobe Flash Player. Adobe Flash Player has gained a reputation of being a security risk because of the numerous zero days it has had over the years. But, even though many websites are. • If Flash Player is not installed on your computer, the About Flash Player page displays one of the boxes shown below. Download and install the latest version of Flash Player. Compare the installed Flash Player version with the latest version of Flash Player for your Mac OS version. Adobe Pepper Flash Player is a cross-platform, browser-based application runtime that provides uncompromised viewing of expressive applications, content, and videos across browsers and operating systems. Pepper Flash plugin is built for Chromium-based browsers, i.e. Chrome, Opera, Chromium etc.
Fox-IT makes it clear that attacks involving Snake are highly targeted.
Researchers who have previously analyzed compromises where Snake was used have attributed the attacks to Russia. Compared to other prolific attackers with alleged ties to Russia…Snake’s code is significantly more sophisticated, it’s infrastructure more complex and targets more carefully selected.
Today’s macOS variant isn’t one you’ll randomly receive, but the manner in which it hides itself is important.
Snake’s Adobe Flash malware
On macOS, Snake is distributed through a .zip file titled Adobe Flash Player.app.zip. This file contains a legitimate, but backdoored, version of the Adobe’s Flash Player. The application contained within the .zip file initially appears legitimate because of its valid signed certificate issued through Apple. Upon closer inspection, the signature comes from a developer named Addy Symonds, and not the expected Adobe. Even the application’s bundle structures looks odd when compared to a normal one.
Safe Adobe Flash Player Download For Mac
Most users wouldn’t think to check an application’s bundle before installing the app.
If a user had proceeded with the installation regardless, handily enough the malware would install a legitimate copy of Adobe Flash Player on the system. During this install, it would also add the backdoor malicious files to the macOS system folders and keep them persistent. By using Apple’s LaunchDaemon service, it could ensure that the backdoor would quickly relaunch if ever closed.
How to check if you’re infected with Snake’s backdoor malware
The Snake malware version currently out in the wild contains debug code and its certificate was signed in February of this year. This leads Fox-IT to believe it may not have even been operational yet, but would soon be used on targets.
Luckily, if anyone does have the Adobe Flash Player.app.zip fileon their system, macOS’ Gatekeeper will no longer show the developer certificate as valid. Apple has revoked that developer’s certificate to help subdue further damage.
To easily check if a system has been infected by the Snake backdoor malware, run a scan with Malwarebytes for Mac. The free software will detect Snake as OSX.Snake and remove it.
If you’d like to manually check for infection, the backdoor malware installs the following various components:
Adobe Flash Player Update For Mac Is It Safe
- /Library/Scripts/queue
- /Library/Scripts/installdp
- /Library/Scripts/installd.sh
- /Library/LaunchDaemons/com.adobe.update.plist
- /var/tmp/.ur-*
- /tmp/.gdm-socket
- /tmp/.gdm-selinux
Malwarebytes recommends changing passwords and contacting your business IT department if you were infected. The former is to secure yourself and online accounts, and the latter to mitigate any potential company damage.
Attacks like these are easily spread through spear phishing emails, so be vigilant in your online behaviors.
Images Credit: Malwarebytes
Adobe Flash Player for Mac lets you access Flash content in Web sites when using browsers like OS X's Safari. The plug-in integrates seamlessly and through a preference pane, gives you control over the type of access each Web site has to your system. The only downside to using it is that it suffers from performance issues.
Pros
Adobe Flash Player Mac Download
Configurable: The plug-in adds a new preference pane in System Preferences where you will be able to adjust your local storage, camera, mic and peer-assisted networking settings to either allow the feature for all Web sites, on a per-request basis, or to deny all requests.
Per-site settings: All the features listed above support per-site settings for even more precise control.
Advanced options: The app lets you delete all Flash-related data and settings as well as audio and video license files, deauthorize the computer, and access trusted locations for developer testing.
Cons
Performance issues: Despite its long history with OS X, this software tends to slow down your computer and drain your battery.
Bottom Line
Safe Way To Download Adobe Flash Player For Mac
If you're constantly visiting Flash-based Web sites, you will have to install either this plug-in, or a browser like Google Chrome, which has built-in Flash support. Generally, the better way to go would be to use Chrome since there will be a lower performance impact on your system. But if Chrome is not your kind of browser, then this plug-in remains a viable solution for enjoying Flash content on your Mac.