New Trojan Targets Mac OS X Users

Researchers have found a new piece of malware that’s designed to attack the Mac OS X platform, an occurrence that’s rare enough still that each new discovery is noted separately.

Apple trojanResearchers have found a new piece of malware that’s designed to attack the Mac OS X platform, an occurrence that’s rare enough still that each new discovery is noted separately.

The new Trojan is known as the Black Hole RAT (remote administration tool) and is capable of giving a remote attacker virtually complete control of an infected machine. It’s not clear right now whether the tool includes any exploits for OS X to help attackers install it on Macs, but in many cases malware tools like Black Hole are distributed via download sites and or torrent sites, as researchers at Sophos noted.

The Black Hole RAT seems to be in beta form right now, and has some fairly rudimentary capabilities, according to an analysis by Meths Cebrian Ferrer, a researcher in Australia who follows Mac malware. The tool enables the attacker to remotely shut down an infected machine, display a full-screen message that gives the user no choice but to reboot the computer, request admin privileges through a fake dialog box or open the user’s browser.

The full-screen message that the Black Hole RAT displays tells the user that the tool has infected her machine and the user has no control over its actions.

“Hello, I’m the BlackHole Remote Administration Tool. I am a Trojan horse, so I have infected your Mac computer,” the message reads. “I know, most people think macs can’t be infected, but look you ARE infected. I have fill controll [sic] over your computer and I can do everything that I want and you can do nothing to prevent it. So, I’m a very new virus, under development, so there will be much more functions when I’m finished. But for now, it’s ok what I can do. To show you what I can do, I will reboot your computer after you have clicked the button right down.”

Although this Trojan targets the Mac platform, it doesn’t seem to be use any Mac-specific exploits for infecting machines. Instead, it’s likely to piggyback on a download, a common tactic for attackers to plant Windows malware, as well.

Suggested articles


  • on

    Thought you might find this interesting

  • Anthony on

    I guess it really is time to start keeping an eye out for viruses on in OS X.

  • Anonymous on

    Does Kaspersky have any tool to keep this from happening?

  • Anonymous on

    Is there anything that a mac user can do to keep this from happening?

  • JoeFam on

    I use Intego Virus Barrier X6 suite. It was recommended as the best for Macs, but who knows...I think they specialize in Macs only...
  • Anonymous on

    Except it's not a trojan.  Well, not unless you think that VNC and other similar products are trojans.

    It's a remote access tool - it's advertised as such and that's what it is.  An essential element of a trojan is that there is an element of pretense, that it pretended to be something benign when it's actually some sort of malware.

    This application is quite honest about what it does, and actually does have utility for certain situations. Yes, it can be misused - but so can all other remote access tools.  I don't know why this tool has a reputation as a trojan when similar products don't.

  • Penguin on

    Time to run virtualized Linux sessions with Java not only disabled but REMOVED from your machines!  When the session is done, it wipes anything but the OS sorta like a deep freeze.  I would treat flash the same way.  And cookies get wiped at the end of the session and like the front door, trust NO ONE!  I'm using virtualized Ubuntu right now as a matter of fact.

  • Anonymous on

    Other than the fact that it advertises itself as a Trojan, not too impressed.

    Have we seen a method of delivery? Perhaps the vulnerability from CANSEC West last year in Safari. What about jump up code? Something to get the process out of the sandbox of the vulnerable process?

    Writing a RAT seems trivial - merely a cllient/server app. Anyone seen any vulnerabilities other than "directory traversals" for MAC?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.