Coldroot RAT Sends Mac Antivirus Down a Maze

  /     /     /  
Publicated : 22/11/2024   Category : security


Coldroot RAT Sends Mac Antivirus Down a Maze


A new blog by a Digita Security researchers finds that Coldroot RAT, which specifically targets Mac and macOS users, is still eluding detection from different antivirus engines, even though its available on GitHub.



Patrick Wardle, a researcher at Digita Security, has seemingly found a new version of the Remote Access Trojan (RAT) that was open sourced on GitHub in 2016. This RAT was remarkable since it was developed to target Apples macOS, and is not detected to this day by antivirus engines.
Wardle describes on his blog
how he tripped over the new version while looking at macOSs privacy database (TCC.db), which contains the list of applications that are afforded accessibility rights. Once in this database, a program can interact with system UIs, applications or even intercept key events -- i.e. keylogging.
Mac users may indirectly know of this database, since it was directly modified by initial versions of Dropbox without Dropbox ever telling the user it was doing so as it was supposed to. Apple Inc. (Nasdaq: AAPL) responded by system protecting the database to rain on Dropboxs parade.
(Source:
StockSnap via Pixabay
)
Anyway, Wardle found a 1.3MB file called com.apple.audio.driver2.app that referenced the TCC.db. The fact that this file was of non-Apple origin despite its title was very suspicious. The fact that the file was not signed by Apple was another nail in the coffin.
The blog outlines the technical steps he took -- using mostly open sourced software, too! -- to figure out what was hiding in that file.
When he was done, he found the
Coldroot RAT
looking back at him. It wasnt just the older Coldroot, but one improving over the older version. Someone had seemingly taken it and added capabilities. This version could spawn new remote desktop sessions as well as take screen captures to generate a live stream of the victims desktop.
Not only that it can start and kill processes on the targets system, as well as search, download, upload and execute files.
The malware does need to show an alert to the user that it is making changes, but once it has been given the OK -- perhaps by a novice user -- it will act silently.
The fundamentals of network security are being redefined – dont get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual
Big Communications Event
. Theres still time to register and communications service providers get in free!
The malware will persist by launching itself as a daemon with root status when the system comes up. And while the RAT tries to sneak itself into TCC.db, the effort will fail on newer versions of macOS thanks to Dropbox having previously forced Apples hand on the file.
So, there is a publicly available RAT targeting macOS that has been upgraded with additional functionality. Running the fake driver name through VirusTotal as of this writing shows that only the ESET tool warns of it. All others give it a pass.
Users will need to be aware of this bogus driver and steer clear from it or anything that references it. AV engines do not yet understand the hidden RAT that possibly lies within their Macs.
Related posts:
Apple & Cisco Look to Ease Burden of Cybersecurity Insurance
New Intel Vulnerability Hits Almost Everyone
Major Apple Flaw Found, Fixed & Still Dangerous
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Coldroot RAT Sends Mac Antivirus Down a Maze