Summary
Foxit PhantomPDF is available for Windows computers and MacOS. There is a mobile companion app available as well. Is there a better alternative? Yes, but you can’t find a better deal than Foxit PhantomPDF for the price you pay. Even though Nitro pro offers more features, Foxit is still a great choice, especially for educational institutes. Foxit Reader is more than just a utility for viewing PDF documents on your Mac. With its help, you can fill forms, add signatures to your PDFs, and print the imported documents with just a few clicks. Operating system: Windows, Mac OS X; Upgrade price. Foxit is a fast and convenient PDF reader with different view modes. It’s perfect for users that need a simple tool for reading PDFs without additional features. The software is available on all common operating systems. Adobe Acrobat PDF reader for windows and mac. Adobe is the most famous name in PDF reader for. Foxit PDF for OS X scrolling issue, 07:06 PM I have just installed Foxit Reader 1.1.1.0301 for Mac; however pages now display in proper resolution in HiDPI mode (an issue I had submitted earlier), there is now another problem present: scrolling is slow and jumpy, both when scrolling with a mouse and Magic Trackpad 2.
Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks1.
Over the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was used to steal sensitive information. Targets include government institutions, military and large corporates.
![Foxit For Mac Os X Foxit For Mac Os X](/uploads/1/1/8/7/118791888/726683763.jpg)
Researchers who have previously analyzed compromises where Snake was used have attributed the attacks to Russia2. Compared to other prolific attackers with alleged ties to Russia, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), Snake’s code is significantly more sophisticated, its infrastructure more complex and targets more carefully selected.
The framework has traditionally focused on the Windows operating system, but in 2014 the first Linux variant was observed3.
Now, Fox-IT has identified a version of Snake targeting Mac OS X.
As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational.
Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets.
As this version contains debug functionalities and was signed on February 21st, 2017 it is likely that the OS X version of Snake is not yet operational.
Fox-IT expects that the attackers using Snake will soon use the Mac OS X variant on targets.
Functionality
For Windows versions the architecture of Snake typically consists of a kernel mode driver designed to hide the presence of several Snake components and to provide low-level access to network communication. Depending on the architecture of a targeted machine either kernel or user mode is used for network communication.
The OS X version of Snake is a port of the Windows version. References to explorer, Internet Explorer and Named Pipes are still present in the binary.
Install Adobe Flash Player.app
The Snake binary comes inside of a ZIP archive named
Adobe Flash Player.app.zip
which is a backdoored version of Adobe’s Flash Player installer.The
install.sh
script is patched with the following lines:The
installd.sh
that is invoked contains the following code:The shell script checks if
installdp
is already running, if not it will start with:Persistence
The backdoor is persisted via Apple’s LaunchDaemon service:
Codesigning details
In order for an Application to be run on OS X it has to be signed with a valid certificate issued by Apple or it would be blocked by GateKeeper (unless configured otherwise). The following, likely stolen, developer certificate was used to sign the fake Adobe Flash installer which includes the Snake binary:
Fox-IT has informed Apple’s security team with the request to revoke the certificate.
Debug build
Several strings found throughout the binary indicate that this version is in fact a debug build.
An interesting observation is the fact that the contents of a temporary file storing command output are converted using KOI8-R encoding, designed to cover the Russian language, which uses the Cyrillic alphabet.
This indicates that the developers tested with Russian command output (encoded using the KOI8-R codepage). On systems where the command output is displayed in another language (and another codepage), text would be incorrectly respresented in Cyrillic characters.
![Foxit for mac os x Foxit for mac os x](/uploads/1/1/8/7/118791888/620789553.jpg)
Queue file
Builds of Snake generally contain a Queue file. Queue files are used to store Snake’s configuration data, module binaries and queued network packets.
The following transport chains are configured in this queue file:
Obfuscated strings
Snake binaries contain strings that can be obtained through snake_name_get() call. These strings are stored as a pair of 0x40 byte blobs that are XOR-ed against each other. In this binary the blobs only contain placeholders that are yet to be replaced by the actual values, which is another indication that this Snake binary is not yet ready to deploy to targets.
Indicators of compromise
Files
SHA256:
Network
The following domain is configured in Snake's queue file for HTTP network transport:
Foxit Mac Os X Download
The resolving IP belongs to a Satellite communications provider:
Foxit Phantom Mac
Though Snake is typically spread using spear-phishing e-mails and watering hole attacks Fox-IT has not yet observed this sample being spread in the wild.
Jelle Vergeer, Krijn de Mik, Mitchel Sahertian, Maarten van Dantzig & Yun Zheng Hu
Fox-IT Threat Intelligence
Fox-IT Threat Intelligence
References
- https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf ↩
- https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf ↩
- https://securelist.com/analysis/publications/65545/the-epic-turla-operation/ ↩