Mac malware Coldroot hasn’t detected by anti-virus engines for two years

Patrick Wardle, chief researcher at Digita Security, a security company, discovered a malware called Coldroot, a remote access Trojan (RAT). Although it was uploaded to GitHub two years ago, it has so far failed to be detected by most antivirus engines.

Coldroot was uploaded to Github in 2016 and is offered for free. Now, things seem to have changed a bit, and the malware has entered the proactive phase of distribution.

Wardle said the latest version of Coldroot was found in an unofficial Apple audio driver (com.apple.audio.driver2.app). Malware masqueraded as a document that opens with a prompt that requires the user to enter an account and password (MacOS credentials) to log in. Once the victim provides the credentials, the malware silently installs and contacts its command and control (C & C) server to await further instructions from the attacker.

Malware modifies MacOS’s privacy database (TCC.db), which allows it to interact with system components to gain the access necessary to perform keyloggers. In addition, Coldroot manages the infected system by installing itself as a startup daemon. In this way, the malicious code starts up each time the infected computer is opened.

Once Coldroot is activated, it can take screenshots, view the desktop remotely in real time, start and stop processes on the target system, and search, download, upload, and execute files. All stolen data is sent to the remote web-based panel, much like most RATs do today.

Wardle pointed out that this is a “fully functional and currently undetectable” malware. Since January 1, 2017, a Web site called “Coldzer0”, the author of Coldroot who has been on the dark Internet marketing this software. In addition, Coldroot is a cross-platform malware targeting MacOS, Linux and Windows-based operating systems, based on ad videos published by Coldzer0.

Wardle also pointed out that it is unclear whether this new version of Coldroot is the same as the one uploaded two years ago, or if it is a modified version of the malware. Although the new version of Coldroot still contains details and contact information for its original author (Coldzer0), it is also likely to be misleading clues for other people who improve the software after getting the code from GitHub to keep it, safe Investigators, in-depth investigation.

Wardle said the malware may not affect newer operating systems such as MacOS High Sierra because the security of system TCC.db is assured through System Integrity Protection (SIP). But in his opinion, the proactive distribution of malware shows that hackers are constantly trying to step up their attacks on Macs, and it’s better for Mac users to switch to using the latest operating system to avoid being hit by such malware.