Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

MacOS

// // //
2/21/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

Coldroot RAT Sends Mac Antivirus Down a Maze

A new blog by a Digita Security researchers finds that Coldroot RAT, which specifically targets Mac and macOS users, is still eluding detection from different antivirus engines, even though it's available on GitHub.

Patrick Wardle, a researcher at Digita Security, has seemingly found a new version of the Remote Access Trojan (RAT) that was open sourced on GitHub in 2016. This RAT was remarkable since it was developed to target Apple's macOS, and is not detected to this day by antivirus engines.

Wardle describes on his blog how he tripped over the new version while looking at macOS's "privacy database" (TCC.db), which contains the list of applications that are afforded "accessibility" rights. Once in this database, a program can interact with system UIs, applications or even intercept key events -- i.e. keylogging.

Mac users may indirectly know of this database, since it was directly modified by initial versions of Dropbox without Dropbox ever telling the user it was doing so as it was supposed to. Apple Inc. (Nasdaq: AAPL) responded by system protecting the database to rain on Dropbox's parade.

Anyway, Wardle found a 1.3MB file called com.apple.audio.driver2.app that referenced the TCC.db. The fact that this file was of non-Apple origin despite its title was very suspicious. The fact that the file was not signed by Apple was another nail in the coffin.

The blog outlines the technical steps he took -- using mostly open sourced software, too! -- to figure out what was hiding in that file.

When he was done, he found the Coldroot RAT looking back at him. It wasn't just the older Coldroot, but one improving over the older version. Someone had seemingly taken it and added capabilities. This version could spawn new remote desktop sessions as well as take screen captures to generate a live stream of the victim's desktop.

Not only that it can start and kill processes on the target's system, as well as search, download, upload and execute files.

The malware does need to show an alert to the user that it is making changes, but once it has been given the OK -- perhaps by a novice user -- it will act silently.


The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

The malware will persist by launching itself as a daemon with root status when the system comes up. And while the RAT tries to sneak itself into TCC.db, the effort will fail on newer versions of macOS thanks to Dropbox having previously forced Apple's hand on the file.

So, there is a publicly available RAT targeting macOS that has been upgraded with additional functionality. Running the fake driver name through VirusTotal as of this writing shows that only the ESET tool warns of it. All others give it a pass.

Users will need to be aware of this bogus driver and steer clear from it or anything that references it. AV engines do not yet understand the hidden RAT that possibly lies within their Macs.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31108
PUBLISHED: 2022-06-28
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generat...
CVE-2022-31229
PUBLISHED: 2022-06-28
Dell PowerScale OneFS, 8.2.x through 9.3.0.x, contain an error message with sensitive information. An administrator could potentially exploit this vulnerability, leading to disclosure of sensitive information. This sensitive information can be used to access sensitive resources.
CVE-2022-31230
PUBLISHED: 2022-06-28
Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain broken or risky cryptographic algorithm. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access.
CVE-2022-2145
PUBLISHED: 2022-06-28
Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.
CVE-2022-28621
PUBLISHED: 2022-06-28
A remote disclosure of sensitive information vulnerability was discovered in HPE NonStop DSM/SCM version: T6031H03^ADP. HPE has provided a software update to resolve this vulnerability in HPE NonStop DSM/SCM.