Casa > cibernético Notícias > Coldroot macOS RAT and Keylogger Goes Undetected for Years
CYBER NEWS

Coldroot MacOS RAT e Keylogger passa despercebida para Anos

Coldroot é um Trojan de acesso remoto (RATO) que foi distribuído em máquinas MacOS sem ser detectado por algum tempo. Researchers say that the malware is cross-platform and that it could successfully drop a keylogger on MacOS prior to High Sierra. Coldroot’s purpose is to harvest credentials from compromised systems.

Story relacionado: fruitfly, Primeira Mac Malware para 2017 Rachou pelo pesquisador

Coldroot Remote Access Trojan Technical Details

The malware was discovered by Patrick Wardle from Digita Security. The researcher has been covering older, mitigated attacks “which sought to dismiss or avoid UI security prompts”, such as abusing AppleScript, sending simulated mouse events via core graphics, or even interacting with the file system.

An example of the latter was DropBox, which directly modified macOS’s ‘privacy database’ (TCC.db) which contains the list of applications that are afforded ‘accessibility’ direitos. With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user.

Apple has already mitigated this attack by using Proteção de Integridade do Sistema, several macOS keyloggers are still attempting to leverage it. That’s why the researcher decided to analyze one such keylogger.

The sample of the Coldroot RAT he examined is unsigned. Pelo visto, the tool itself has been offered for sale on underground markets since January, 2017. além do que, além do mais, versions of the malware code have been available on GitHub for two years.

quando ativado, it makes changes to the system’s privacy database called TCC.db, which is designed to maintain a list of apps and their level of accessibility rights. “With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user,” the researcher said.

além disso, Coldroot disguises as an Apple audio drivercom.apple.audio.driver2.app. quando clicado, it would show a standard authentication prompt asking the user to enter their macOS credentials. Once the potential victim is tricked, the RAT would modify the privacy TCC.db database allowing itself accessibility rights and system-wide keylogging.

Story relacionado: MacRansom e MacSpy Prove que Macs não são seguros de Malware

Coldroot can be persistent on a system by installing itself as a launch demon, which means that it will start automatically upon each reboot. More technical details you can find aqui.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...