Coldroot is a remote access Trojan (RAT) that has been distributed on MacOS machines without being detected for quite some time. Researchers say that the malware is cross-platform and that it could successfully drop a keylogger on MacOS prior to High Sierra. Coldroot’s purpose is to harvest credentials from compromised systems.
Coldroot Remote Access Trojan Technical Details
The malware was discovered by Patrick Wardle from Digita Security. The researcher has been covering older, mitigated attacks “which sought to dismiss or avoid UI security prompts”, such as abusing AppleScript, sending simulated mouse events via core graphics, or even interacting with the file system.
An example of the latter was DropBox, which directly modified macOS’s ‘privacy database’ (TCC.db) which contains the list of applications that are afforded ‘accessibility’ rights. With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user.
Apple has already mitigated this attack by using System Integrity Protection, several macOS keyloggers are still attempting to leverage it. That’s why the researcher decided to analyze one such keylogger.
The sample of the Coldroot RAT he examined is unsigned. Apparently, the tool itself has been offered for sale on underground markets since January, 2017. In addition, versions of the malware code have been available on GitHub for two years.
When activated, it makes changes to the system’s privacy database called TCC.db, which is designed to maintain a list of apps and their level of accessibility rights. “With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user,” the researcher said.
Furthermore, Coldroot disguises as an Apple audio driver – com.apple.audio.driver2.app. When clicked, it would show a standard authentication prompt asking the user to enter their macOS credentials. Once the potential victim is tricked, the RAT would modify the privacy TCC.db database allowing itself accessibility rights and system-wide keylogging.
Coldroot can be persistent on a system by installing itself as a launch demon, which means that it will start automatically upon each reboot. More technical details you can find here.