CYBER NEWS

Coldroot macOS RAT and Keylogger Goes Undetected for Years

Coldroot is a remote access Trojan (RAT) that has been distributed on MacOS machines without being detected for quite some time. Researchers say that the malware is cross-platform and that it could successfully drop a keylogger on MacOS prior to High Sierra. Coldroot’s purpose is to harvest credentials from compromised systems.

Related Story: Fruitfly, the First Mac Malware for 2017 Cracked by Researcher

Coldroot Remote Access Trojan Technical Details

The malware was discovered by Patrick Wardle from Digita Security. The researcher has been covering older, mitigated attacks “which sought to dismiss or avoid UI security prompts”, such as abusing AppleScript, sending simulated mouse events via core graphics, or even interacting with the file system.

An example of the latter was DropBox, which directly modified macOS’s ‘privacy database’ (TCC.db) which contains the list of applications that are afforded ‘accessibility’ rights. With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user.

Apple has already mitigated this attack by using System Integrity Protection, several macOS keyloggers are still attempting to leverage it. That’s why the researcher decided to analyze one such keylogger.

The sample of the Coldroot RAT he examined is unsigned. Apparently, the tool itself has been offered for sale on underground markets since January, 2017. In addition, versions of the malware code have been available on GitHub for two years.

When activated, it makes changes to the system’s privacy database called TCC.db, which is designed to maintain a list of apps and their level of accessibility rights. “With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user,” the researcher said.

Furthermore, Coldroot disguises as an Apple audio driver – com.apple.audio.driver2.app. When clicked, it would show a standard authentication prompt asking the user to enter their macOS credentials. Once the potential victim is tricked, the RAT would modify the privacy TCC.db database allowing itself accessibility rights and system-wide keylogging.

Related Story: MacRansom and MacSpy Prove that Macs Are Not Safe from Malware

Coldroot can be persistent on a system by installing itself as a launch demon, which means that it will start automatically upon each reboot. More technical details you can find here.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...