Researchers are warning users about the Coldroot remote access Trojan that is going undetected by AV engines and targets MacOS computers. The RAT is cross-platform and capable of planting a keylogger on MacOS systems prior to the OS High Sierra and is designed to steal banking credentials.
Coldroot was found by researcher Patrick Wardle, chief research officer at Digita Security, who published a technical write-up on the RAT Saturday. The malware, he said, appears to have been for sale on underground markets since Jan. 1, 2017 and versions of the Coldroot code have also been available on GitHub for nearly two years.
The RAT sample examined by Wardle is unsigned and when triggered makes changes to macOS’s privacy database called TCC.db, which maintains a list of applications and what level of accessibility rights they have. “With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user,” Wardle wrote.
He said the RAT masquerades as an Apple audio driver “com.apple.audio.driver2.app” that when clicked on displays a standard authentication prompt requesting the target to enter their MacOS credentials. Once engaged, the RAT modifies the privacy TCC.db database, granting the malware accessibility rights in order to perform system-wide keylogging.
The researcher notes that on MacOS High Sierra systems Apple now protects TCC.db via its System Integrity Protection (SIP). “Thought this (Coldroot) script is executed as root, on newer versions of macOS (Sierra+) it will fail as the privacy database is now protected by SIP,” he wrote.
Coldroot maintains persistence on MacOS systems by installing itself as a launch daemon, meaning the malware as automatically started each time the infected system is rebooted.
“Behind the scenes, the application will automatically beacon out to a server. While creating a network connection is itself not inherently malicious, it is a common tactic used by malware – specifically to check in with a command and control server for tasking,” Wardle notes.
“When the malware receives a command from the server to start a remote desktop session, it spawns a new thread named: ‘REMOTEDESKTOPTHREAD’. This basically sits in a while loop (until the ‘stop remote desktop’ command is issued), taking and ‘streaming’ screen captures of the user’s desktop to the remote attacker,” he notes.
Wardle said it appears the malware’s author “Coldzer0” has provided snippets of the RAT’s code online starting in January 2017. He noted the author has advertised the RAT for sale and offered buyers ways to customize the malware. He notes, that a video posted by Coldzer0 advertises the RAT as cross-platform and can be used to attack MacOS, Windows and Linux systems.