Known in the Windows world for exposing passwords and information protected by encryption, Trojan "Snake" has been ported to macOS. Fox-IT, responsible for its discovery, published an extensive analysis of how it works on the Mac, where the only means of entry found so far was as a fake installer for Adobe Flash Player.
The origin of this malware Russian and, in the case of its version for Windows, known for the sophisticated architecture that gave rise to variants, such as “Turla”, “Uroburos” and “Agent.BTZ”, all easily scanned by antivirus for PCs today. In macOS, however, those responsible for the port were not very bold.
A real Flash Player installer is used, copying the “Snake” files to the victim's computer by presenting administrative credentials. However, in addition to being relatively easy to track and eliminate, the binaries depend on the Gatekeeper turned off in the system to be installed, since the only digital signature used to disguise it as legitimate has already been revoked by Apple (at the request of the researchers who identified it ).
This scenario has been repeated frequently in some discoveries of malware recently made. Most users work with the Gatekeeper enabled at least at its most moderate level, where all applications must have been signed with a certificate validated by Apple for them to work.
With the use of the Flash Player on the market, it is believed that the number of victims of a malware presented in this way is also low. Since the launch of the second generation of MacBooks Air (that is, more than six years ago!), Apple has no longer pre-installed the Adobe plugin in its products. Chrome browser users even gain access to it in an integrated way, but Google itself takes care of applying it patches automatically and is limiting its functionality with each update.