The attackers behind the Russian has developed a new generation of Trojans for Windows and Mac with a whole set of innovative techniques, experts research companies Fox-IT and Palo Alto Networks. In particular, they got an API that allows hackers, if necessary, to change the direction of traffic between it and the C&C server.
The malware was developed using the software platform .NET Framework and is available in three versions – for Windows, Mac and Linux. Palo Alto researchers analyzed the Windows version, it was called Kazuar. Experts Fox-IT found the Mac version, dubbed the Snake.
On the macOS platform is distributed by Trojan mailing archive Adobe Flash Player.app.zip. It contains the infected version of Adobe Flash Player: if users install it on your computer, the system, in addition to quite a working plugin, will appear a malicious backdoor that uses a service LaunchDaemon to automatically download.
Experts believe that “malware” was developed by a Russian cybercriminal gang Turla associated with the longest in the entire history of a cyberspying campaign. Malware is a replacement for the Trojan Uroburos, destroyed in 2014, researchers at G Data.
Experts Fox-IT discovered a malicious application, it is recommended to scan Mac utility Malwarebytes. Manually check the presence of “malware” is possible in the following ways:
- /Library/Scripts/queue
- /Library/Scripts/installdp
- /Library/Scripts/installd.sh
- /Library/LaunchDaemons/com.adobe.update.plist
- /var/tmp/.ur-*
- /tmp/.gdm-socket
- /tmp/.gdm-selinux
Like most other Trojans, Snake asks for commands to the command server by enclosing the address. Mostly obtained by the malware team are the same as the rest of the Trojans, but one of them is different.
Team remote runs a web server on your host, providing an API for remote connections. In other words, Snake like Kazuar can change the usual flow connection to the C&C server. Instead, the infected host is pinging the server for new commands, an attacker can whenever you want to ping the victim’s system and send the malware instructions.
This approach has two big advantages. First, the attacker may wish to migrate to another C&C server, and second, thus the Snake is able to bypass some security solutions. Was the malware in a real attack, is still unknown.
