{"id":76018,"date":"2018-03-05T08:00:08","date_gmt":"2018-03-05T16:00:08","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=76018"},"modified":"2019-06-15T02:57:20","modified_gmt":"2019-06-15T09:57:20","slug":"osxcoldroot-and-the-rat-invasion","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/osxcoldroot-and-the-rat-invasion\/","title":{"rendered":"OSX\/Coldroot and the RAT invasion"},"content":{"rendered":"

\"ColdrootThe past\u00a0several weeks have brought\u00a0to light\u00a0three\u00a0distinct families of\u00a0RAT\u00a0malware for\u00a0Macs. We’ve previously covered CrossRAT<\/a> and EvilOSX<\/a>, and in this article we’ll explore OSX\/Coldroot<\/strong>.<\/p>\n

First, let’s briefly take a look at what exactly is a “RAT.”\u00a0Later, we’ll also\u00a0explore why so many RATs have been discovered already in 2018, and we’ll explain\u00a0how you can protect yourself from these threats.<\/p>\n

What is a RAT?<\/h3>\n

\"\"RAT\u00a0is an\u00a0acronym that\u00a0stands for “remote administration tool” or “remote access Trojan.”\u00a0While there are plenty of perfectly legitimate\u00a0software utilities\u00a0for accessing\u00a0another computer (for example, Apple Remote Desktop<\/a>), the term RAT is generally reserved for software that’s designed to be installed and used without the computer user’s knowledge, often with the intention of spying or stealing resources.<\/p>\n

RATs commonly include features\u00a0that allow a remote attacker to control or spy on your computer.\u00a0They may allow an attacker to do such things as observe\u00a0your screen, take screenshots, activate your camera or microphone,\u00a0log\u00a0everything you type including your passwords, copy files to or from your computer, or execute other commands, all in the background and without\u00a0your knowledge.<\/p>\n

What’s the story\u00a0behind OSX\/Coldroot?<\/h3>\n

\"\"Over the same weekend that Intego researchers discovered OSX\/Shlayer<\/a>, another researcher, Patrick Wardle, independently discovered<\/a> OSX\/Coldroot, an entirely different\u00a0type of Mac malware: a RAT.<\/p>\n

In\u00a0preparation for a talk at an upcoming security conference,\u00a0Wardle searched VirusTotal<\/a>\u2014a site that uses dozens of anti-virus\u00a0engines to analyze\u00a0individual files that users upload\u2014for a sample of malware that attempts to\u00a0directly modify\u00a0a macOS database file (TCC.db) to grant itself special permissions.<\/p>\n

One\u00a0sample that came up in the search results was undetected by all 60 of VirusTotal’s anti-virus engines. However, Wardle felt that a variety of indicators pointed to the strong probability that the software\u00a0was malicious. The following were indicators that were relatively easy to discover by a casual observer:<\/p>\n