Summary
Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks1.
Over the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was used to steal sensitive information. Targets include government institutions, military and large corporates.
Operating system: Windows, Mac OS X; Upgrade price. Foxit is a fast and convenient PDF reader with different view modes. Star vpn mac. It’s perfect for users that need a simple tool for reading PDFs without additional features. The software is available on all common operating systems. Foxit Reader (for Mac OS X only) provides a Foxit Reader Advanced Tools add-on to help you process PDF files in batch. This toolkit allows you to edit document properties, organize PDF pages, add stamps to PDFs, convert images to PDF or vice versa, and more. You will be offered a 14-day trial for Foxit Reader Advanced Tools.
Researchers who have previously analyzed compromises where Snake was used have attributed the attacks to Russia2. Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, its infrastructure more complex and targets more carefully selected. Viewer lite for mac.
The framework has traditionally focused on the Windows operating system, but in 2014 the first Linux variant was observed3.
Now, Fox-IT has identified a version of Snake targeting Mac OS X.
As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational.
Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets.
Functionality
For Windows versions the architecture of Snake typically consists of a kernel mode driver designed to hide the presence of several Snake components and to provide low-level access to network communication. Depending on the architecture of a targeted machine either kernel or user mode is used for network communication.
The OS X version of Snake is a port of the Windows version. References to explorer, Internet Explorer and Named Pipes are still present in the binary.
Install Adobe Flash Player.app
The Snake binary comes inside of a ZIP archive named Adobe Flash Player.app.zip
which is a backdoored version of Adobe’s Flash Player installer.
The install.sh
script is patched with the following lines:
The installd.sh
that is invoked contains the following code:
The shell script checks if installdp
is already running, if not it will start with:
Persistence
The backdoor is persisted via Apple’s LaunchDaemon service:
Codesigning details
In order for an Application to be run on OS X it has to be signed with a valid certificate issued by Apple or it would be blocked by GateKeeper (unless configured otherwise). The following, likely stolen, developer certificate was used to sign the fake Adobe Flash installer which includes the Snake binary:
Fox-IT has informed Apple’s security team with the request to revoke the certificate.
Debug build
Several strings found throughout the binary indicate that this version is in fact a debug build.
An interesting observation is the fact that the contents of a temporary file storing command output are converted using KOI8-R encoding, designed to cover the Russian language, which uses the Cyrillic alphabet.
This indicates that the developers tested with Russian command output (encoded using the KOI8-R codepage). On systems where the command output is displayed in another language (and another codepage), text would be incorrectly respresented in Cyrillic characters.
Foxit Reader For Mac Os X
Queue file
Builds of Snake generally contain a Queue file. Queue files are used to store Snake’s configuration data, module binaries and queued network packets.
The following transport chains are configured in this queue file:
Obfuscated strings
Snake binaries contain strings that can be obtained through snake_name_get() call. These strings are stored as a pair of 0x40 byte blobs that are XOR-ed against each other. In this binary the blobs only contain placeholders that are yet to be replaced by the actual values, which is another indication that this Snake binary is not yet ready to deploy to targets.
Indicators of compromise
Files
SHA256:
Download Foxit Pdf
Network
The following domain is configured in Snake's queue file for HTTP network transport:
The resolving IP belongs to a Satellite communications provider:
Though Snake is typically spread using spear-phishing e-mails and watering hole attacks Fox-IT has not yet observed this sample being spread in the wild.
Jelle Vergeer, Krijn de Mik, Mitchel Sahertian, Maarten van Dantzig & Yun Zheng Hu
Fox-IT Threat Intelligence
Foxit For Mac Os X
References
Foxit Reader Download Windows 10
- https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf ↩
- https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf ↩
- https://securelist.com/analysis/publications/65545/the-epic-turla-operation/ ↩