Security researcher Patrick Wardle, chief research officer at Digita Security, recently published a post on a RAT (remote access Trojan) that is posing a danger to those running MacOS systems. The RAT is named Coldroot and affects MacOS systems that run anything prior to OS High Sierra. It is theorized that Coldroot (name taken from the code showing authorship as OSX/Coldroot) has existed in the Dark Web for at least a year and that its source code was on GitHub for roughly two years.
Coldroot’s main function is to steal banking credentials via installation of a keylogger. The RAT appears as Apple audio driver “com.apple.audio.driver2.app.” As Wardle explains in his research post, Coldroot is able to evade AV scans and get root through its exploitation of the older OS’s privacy database TCC.db:
“Though Apple now thwarts this attack, by protecting TCC.db via System Integrity Protection (SIP)... on older versions of OSX/macOS the malware will gain accessibility rights... Each time the malware is up and running it performs two main tasks:
- kicks off keylogging logic
- checks in with the command & control server and performs any received tasking.”
There are ways to mitigate this particular malware. In order for the fake Apple audio driver “com.apple.audio.driver2.app” to be put into action, it requires compliance on the part of the user. As seen in the below image, the RAT asks the potential victim to authorize changes:
The solution here is obvious — don’t give the RAT the authentication it desires. While this does not help those who have already done this, it can give a cautionary tale to anyone who automatically gives authentication without researching the file asking for said authentication.
Another fix is to move to a more up-to-date Apple OS. As is mentioned in this article, Coldroot is able to gain root and carry out its keylogging due to holes in MacOS variants prior to High Sierra. A good rule of thumb (as countless incidents have taught us), is that the more up-to-date an OS is, the higher probability that there are tools to fight threats. Additionally, Wardle mentions that “my free tools such as BlockBlock and LuLu can generically thwart such threats,” so give those a try in case you may be infected.
Photo credit: Wikimedia