Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

MacOS

2/21/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Coldroot RAT Sends Mac Antivirus Down a Maze

A new blog by a Digita Security researchers finds that Coldroot RAT, which specifically targets Mac and macOS users, is still eluding detection from different antivirus engines, even though it's available on GitHub.

Patrick Wardle, a researcher at Digita Security, has seemingly found a new version of the Remote Access Trojan (RAT) that was open sourced on GitHub in 2016. This RAT was remarkable since it was developed to target Apple's macOS, and is not detected to this day by antivirus engines.

Wardle describes on his blog how he tripped over the new version while looking at macOS's "privacy database" (TCC.db), which contains the list of applications that are afforded "accessibility" rights. Once in this database, a program can interact with system UIs, applications or even intercept key events -- i.e. keylogging.

Mac users may indirectly know of this database, since it was directly modified by initial versions of Dropbox without Dropbox ever telling the user it was doing so as it was supposed to. Apple Inc. (Nasdaq: AAPL) responded by system protecting the database to rain on Dropbox's parade.

Anyway, Wardle found a 1.3MB file called com.apple.audio.driver2.app that referenced the TCC.db. The fact that this file was of non-Apple origin despite its title was very suspicious. The fact that the file was not signed by Apple was another nail in the coffin.

The blog outlines the technical steps he took -- using mostly open sourced software, too! -- to figure out what was hiding in that file.

When he was done, he found the Coldroot RAT looking back at him. It wasn't just the older Coldroot, but one improving over the older version. Someone had seemingly taken it and added capabilities. This version could spawn new remote desktop sessions as well as take screen captures to generate a live stream of the victim's desktop.

Not only that it can start and kill processes on the target's system, as well as search, download, upload and execute files.

The malware does need to show an alert to the user that it is making changes, but once it has been given the OK -- perhaps by a novice user -- it will act silently.


The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

The malware will persist by launching itself as a daemon with root status when the system comes up. And while the RAT tries to sneak itself into TCC.db, the effort will fail on newer versions of macOS thanks to Dropbox having previously forced Apple's hand on the file.

So, there is a publicly available RAT targeting macOS that has been upgraded with additional functionality. Running the fake driver name through VirusTotal as of this writing shows that only the ESET tool warns of it. All others give it a pass.

Users will need to be aware of this bogus driver and steer clear from it or anything that references it. AV engines do not yet understand the hidden RAT that possibly lies within their Macs.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27981
PUBLISHED: 2020-10-28
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy...
CVE-2020-24707
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
CVE-2020-24708
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
CVE-2020-24709
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
CVE-2020-24710
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows SSRF attacks.