Apple updates XProtect malware definitions for Mac trojan OSX/Snake.A

“Nearly one year after the discovery of a macOS Trojan, identified as OSX/Snake, Apple has issued an update to its XProtect malware definitions to provide rudimentary protection against this Mac threat,” Derek Erwin reports for Intego. “This update brings Apple’s Malware Removal Tool ( to version 1.32, and detects the macOS Snake variant as OSX.4e36ae6. Apple also added detection for a piece of malware it identifies as OSX.127eaa6.”

“In early May 2017, security researchers discovered that malware known by the names Snake, Turla, and Uroburos was ported from Windows to Mac,” Erwin reports. “The Mac version of the malware was found inside a compromised Abode Flash Player installer or embedded in compromised torrent files posing as legitimate software.

Erwin writes, “This offers a fresh reminder that you should steer clear of BitTorrent as these sites are a malware cesspool.”

Read more in the full article here.

MacDailyNews Take: XProtect to the rescue… belatedly!

Meet Coldroot, a nasty Mac trojan that went undetected for years – February 20, 2018
OSX/Proton trojan is back! Here’s what Mac users need to know – October 26, 2017
macOS trojan malware spread via compromised Eltima Software downloads – October 20, 2017


    1. Yes.

      Here is where to check if you have this week’s update:
      – Apple Menu: About This Mac
      – System Report…
      – Software: Installations
      – Software Name: MRTConfigData
      – Version 1.32

      1.32 will be listed under ‘Install Date’ as some time earlier this week, typically 4/23 or 4/24/18.

      1. Derek, Thanks!

        I don’t see the MRTConfigData in my software list of updates but I do see XProtectPlisitConfigData being updated. Assuming this is what it is called in Mavericks.

        1. I don’t have a Mavericks installation to check. Searching the net provides no directly accessible history of MRT (malware removal tool). However, digging around in my personal archives I found the first mention of MRT was in 2012 by my colleague Topher Kessler while he was working for CNET. That corresponds to OS X 10.7 Lion. At the time, MRT was called ‘MRTAgent’. More current versions of macOS call it simply ‘’. You should find one or the other named process here:


          No doubt, the results from a System Report on Mavericks are different from recent versions macOS. Therefore, to find records of MRTConfigData updates:

          1) Go to: /System/Library/Receipts/
          2) Look for files that begin with the name “”…. There should numbered files with extensions .bom and .plist. These files are records of MRT being updated.
          3) Look in the same Receipts folder for files beginning with ‘’. They will also be numbered and end with the .bom extension. They are, from what I can gather, older update record files, the naming system having changed some time in 2017, probably with macOS Sierra.

          Bounce back with your results! I’d be interested to know what you find.

        2. Hi Kramer! I conferred with my Mac security collaborator Al. Up until El Capitan, the MRTAlert process was not persistent on macOS. It would run with an OS update to clean out any infection from the ongoing fake ‘Adobe Flash’ installer vectors, then erase itself. Therefore, I’d be surprised if you found any sign of it in the System Receipts and therefore in the System Report.

  1. Sheesh Apple!

    The original name of this malware was X-Agent. Because the anti-malware community is bizniz based and NOT science based, that means there was the usual naming war. Therefore, here are some other names for exactly the same malware:
    – Turia
    – Uroburos
    – Agent.BTZ

    And with that naming chaos already making a ridiculous mess of the anti-malware community, Apple has to go and make up a NEW NAME that is entirely meaningless to anyone but them:
    – 4e36ae6

    Boo To You Apple.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.