Discussion – 


Malware disguised as Adobe Flash Installer

Malware for the Mac is on the rise and recently, the Adobe Flash player has been disguised as a possible attack.

How exactly does this work? An older Windows malware trojan wormed its way the macOS ecosystem, complete with a signed Apple developer certificate. Once permission is granted, it hides itself deep inside macOS folders and appears as the Adobe Flash Player.

This malware has been targeting Windows and Linux for years and is now targeting Mac. Fox-IT has identified a version of Snake targeting Mac OS X. Fox-IT expects that the attackers using Snake will soon target MAC OS X.

Fortunately, Apple revoked the fake developer certificate to prevent future threats but it is important to still be wary. There is still a chance of someone downloading Snake by accident through other channels.

Here’s how Snake slithers into your Mac:

  1. The file named Install Adobe Flash Player.app.zip will appear to be an Adobe Flash installer
  2. If the app is opened, it will ask for your username and password and if the password is provided, the behavior continues
  3. Flash is installed on the Mac
  4. Since the fake developer certificate has already been revoked so your built in security program will most likely stop the process

To refresh on security tips, if you receive an email with an attachment, make sure it is from a legitimate source before you click on it. Make sure it is an address that you recognize. And specific to Snake trojan, avoid downloading zip files with the name Install Adobe Flash Player.app.zip.

What do you do if you think you have already been attacked?

Find and delete the following files:

  • /Library/LaunchDaemons/com.adobe.update.plist
  • /Library/Scripts/installd.sh
  • /Library/Scripts/queue
  • /var/tmp/.ur-*
  • /tmp/.gdm-socket
  • /tmp/.gdm-selinux

Next, delete the stolen/fake signed Apple Developer certificate:

  • Launch Finder.
  • Select Applications.
  • Open your Utilities folder.
  • Double-click on Keychain Access.
  • Select the certificate named Adobe Flash Player installer with the signed certificate issued to Addy Symonds.
  • Right or Control + click on the Certificate.
  • Select Delete Certificate from the drop down options.
  • Select Delete to confirm that you want to delete the certificate.

Lastly, change your administrator password to ensure that the hacker can’t get back in.

Sources: http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=1&articleid=95674982&source=digest&tagid=899&tagname=Smartphone

You May Also Like