Bella RAT

Bella RAT is a newly discovered open-source Remote Access Trojan that targets macOS systems version 10.6 or higher. The malware is written in Python entirely and possesses a broad array of features. As most RAT threats, it can manipulate, upload, and download files while also capturing data from connected microphones and cameras or create and exfiltrate screenshots. The Bella RAT has various phishing capabilities, such as attempting to log in and keychains passwords, in addition to the Apple ID password of the victim. It can access iCloud functions such as iCloud Contacts, Find my iPhone, Find my Friends and the iOS Backups through iCloud token extraction. The RAT threat also can access Chrome passwords and browsing history.

On macOS version 10.12.1 and earlier, the Bella RAT exploits system vulnerabilities with the end goal being achieving root privileges. If it is successful, the RAT places its components in the root library folder's appropriate locations. Otherwise, the script, database, and launch files will be stored respectively at:

• ~/Library/Containers/.bella/Bella
• ~/Library/Containers/.bella/bella.db
• ~/Library/LaunchAgents/com.apple.iTunes.plis

For its distribution, the Bella RAT employs the same dropper, with minor modifications, that was observed to carry another Mac Trojan called OSX.Dok as payload previously. The dropper is disguised as a document contained inside a zipped application file named Dokument.application. Once executed, it duplicates itself at /Users/Shared/AppStore.application and displays an alert claiming that the application is damaged. Unlike the dropper version used for OSX.Dok, though, the one for Bella doesn't cover the screen of the infected system with a fake 'OS X Updates Available' window.