Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

MacOS

2/21/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Coldroot RAT Sends Mac Antivirus Down a Maze

A new blog by a Digita Security researchers finds that Coldroot RAT, which specifically targets Mac and macOS users, is still eluding detection from different antivirus engines, even though it's available on GitHub.

Patrick Wardle, a researcher at Digita Security, has seemingly found a new version of the Remote Access Trojan (RAT) that was open sourced on GitHub in 2016. This RAT was remarkable since it was developed to target Apple's macOS, and is not detected to this day by antivirus engines.

Wardle describes on his blog how he tripped over the new version while looking at macOS's "privacy database" (TCC.db), which contains the list of applications that are afforded "accessibility" rights. Once in this database, a program can interact with system UIs, applications or even intercept key events -- i.e. keylogging.

Mac users may indirectly know of this database, since it was directly modified by initial versions of Dropbox without Dropbox ever telling the user it was doing so as it was supposed to. Apple Inc. (Nasdaq: AAPL) responded by system protecting the database to rain on Dropbox's parade.

Anyway, Wardle found a 1.3MB file called com.apple.audio.driver2.app that referenced the TCC.db. The fact that this file was of non-Apple origin despite its title was very suspicious. The fact that the file was not signed by Apple was another nail in the coffin.

The blog outlines the technical steps he took -- using mostly open sourced software, too! -- to figure out what was hiding in that file.

When he was done, he found the Coldroot RAT looking back at him. It wasn't just the older Coldroot, but one improving over the older version. Someone had seemingly taken it and added capabilities. This version could spawn new remote desktop sessions as well as take screen captures to generate a live stream of the victim's desktop.

Not only that it can start and kill processes on the target's system, as well as search, download, upload and execute files.

The malware does need to show an alert to the user that it is making changes, but once it has been given the OK -- perhaps by a novice user -- it will act silently.


The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

The malware will persist by launching itself as a daemon with root status when the system comes up. And while the RAT tries to sneak itself into TCC.db, the effort will fail on newer versions of macOS thanks to Dropbox having previously forced Apple's hand on the file.

So, there is a publicly available RAT targeting macOS that has been upgraded with additional functionality. Running the fake driver name through VirusTotal as of this writing shows that only the ESET tool warns of it. All others give it a pass.

Users will need to be aware of this bogus driver and steer clear from it or anything that references it. AV engines do not yet understand the hidden RAT that possibly lies within their Macs.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21513
PUBLISHED: 2021-03-02
Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain admin acces...
CVE-2021-21514
PUBLISHED: 2021-03-02
Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability. A remote user with admin privileges could potentially exploit this vulnerability to view arbitrary files on the target system by sending a specially crafted URL request.
CVE-2020-25902
PUBLISHED: 2021-03-02
Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability. The XSS payload will execute on the class room, which leads to stealing cookies from users who join the class.
CVE-2020-1936
PUBLISHED: 2021-03-02
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
CVE-2021-27904
PUBLISHED: 2021-03-02
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.