Coldroot é um Trojan de acesso remoto (RATO) que foi distribuído em máquinas MacOS sem ser detectado por algum tempo. Researchers say that the malware is cross-platform and that it could successfully drop a keylogger on MacOS prior to High Sierra. Coldroot’s purpose is to harvest credentials from compromised systems.
Coldroot Remote Access Trojan Technical Details
The malware was discovered by Patrick Wardle from Digita Security. The researcher has been covering older, mitigated attacks “which sought to dismiss or avoid UI security prompts”, such as abusing AppleScript, sending simulated mouse events via core graphics, or even interacting with the file system.
An example of the latter was DropBox, which directly modified macOS’s ‘privacy database’ (TCC.db) which contains the list of applications that are afforded ‘accessibility’ direitos. With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user.
Apple has already mitigated this attack by using Proteção de Integridade do Sistema, several macOS keyloggers are still attempting to leverage it. That’s why the researcher decided to analyze one such keylogger.
The sample of the Coldroot RAT he examined is unsigned. Pelo visto, the tool itself has been offered for sale on underground markets since January, 2017. além do que, além do mais, versions of the malware code have been available on GitHub for two years.
quando ativado, it makes changes to the system’s privacy database called TCC.db, which is designed to maintain a list of apps and their level of accessibility rights. “With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user,” the researcher said.
além disso, Coldroot disguises as an Apple audio driver – com.apple.audio.driver2.app. quando clicado, it would show a standard authentication prompt asking the user to enter their macOS credentials. Once the potential victim is tricked, the RAT would modify the privacy TCC.db database allowing itself accessibility rights and system-wide keylogging.
Coldroot can be persistent on a system by installing itself as a launch demon, which means that it will start automatically upon each reboot. More technical details you can find aqui.