macOS Trojan First Detected in 2016 Continues to Bypass AV Engines

Author Photo
Feb 20, 2018

Despite being shared online over two years ago, most of the AV engines are unable to detect Coldroot RAT, a Mac malware. The trojan was first uploaded on GitHub back in 2016 as a joke to “play with Mac users,” and now works on all three major desktop operating systems.

This Mac malware can silently and remotely control a vulnerable computer. However, AV firms are yet to notice it. Security researcher Patrick Wardle revealed the details of Coldroot, a remote access trojan, earlier today. “Though not particularly sophisticated, it’s rather ‘feature complete’ and currently undetected all AV-engines on VirusTotal,” Wardle wrote.

macos-10-3-4-high-sierra-betaRelated“Sandboxed Mac Apps Can Record Your Screen at Any Time Without You Knowing,” but Apple Doesn’t Seem to Care

Moreover, it is a good illustrative example that hackers continue to target macOS!

While Coldroot had started as a joke, it has since been optimized and is currently in active distribution. The new and improved Mac malware was discovered in a fake Apple audio driver and can take screen captures, start and end processes, start a remote desktop session, search and upload new files, and remotely shut down the operating system.

Hiding as a document, the malware demands admin access, after which it will silently install and contact its command and control server for further instructions. It remains unclear if this is the same thing that was uploaded on GitHub in 2016 or someone else has picked up the code and modified it with more features. However, the new Coldroot RAT still includes the contact details of its initial author potentially to leave false flags behind.

While AV engines will soon start to detect Coldroot Mac malware after this latest exposure, users can protect themselves by avoiding downloading files from shady websites or attachments from untrusted contacts. “And remember if you want to stay safe, running the latest version of macOS will definitely help,” Wardle says.

– Technical details of Coldroot remote access trojan are available here