Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

MacOS

2/21/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Coldroot RAT Sends Mac Antivirus Down a Maze

A new blog by a Digita Security researchers finds that Coldroot RAT, which specifically targets Mac and macOS users, is still eluding detection from different antivirus engines, even though it's available on GitHub.

Patrick Wardle, a researcher at Digita Security, has seemingly found a new version of the Remote Access Trojan (RAT) that was open sourced on GitHub in 2016. This RAT was remarkable since it was developed to target Apple's macOS, and is not detected to this day by antivirus engines.

Wardle describes on his blog how he tripped over the new version while looking at macOS's "privacy database" (TCC.db), which contains the list of applications that are afforded "accessibility" rights. Once in this database, a program can interact with system UIs, applications or even intercept key events -- i.e. keylogging.

Mac users may indirectly know of this database, since it was directly modified by initial versions of Dropbox without Dropbox ever telling the user it was doing so as it was supposed to. Apple Inc. (Nasdaq: AAPL) responded by system protecting the database to rain on Dropbox's parade.

Anyway, Wardle found a 1.3MB file called com.apple.audio.driver2.app that referenced the TCC.db. The fact that this file was of non-Apple origin despite its title was very suspicious. The fact that the file was not signed by Apple was another nail in the coffin.

The blog outlines the technical steps he took -- using mostly open sourced software, too! -- to figure out what was hiding in that file.

When he was done, he found the Coldroot RAT looking back at him. It wasn't just the older Coldroot, but one improving over the older version. Someone had seemingly taken it and added capabilities. This version could spawn new remote desktop sessions as well as take screen captures to generate a live stream of the victim's desktop.

Not only that it can start and kill processes on the target's system, as well as search, download, upload and execute files.

The malware does need to show an alert to the user that it is making changes, but once it has been given the OK -- perhaps by a novice user -- it will act silently.


The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

The malware will persist by launching itself as a daemon with root status when the system comes up. And while the RAT tries to sneak itself into TCC.db, the effort will fail on newer versions of macOS thanks to Dropbox having previously forced Apple's hand on the file.

So, there is a publicly available RAT targeting macOS that has been upgraded with additional functionality. Running the fake driver name through VirusTotal as of this writing shows that only the ESET tool warns of it. All others give it a pass.

Users will need to be aware of this bogus driver and steer clear from it or anything that references it. AV engines do not yet understand the hidden RAT that possibly lies within their Macs.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.