Coldroot RAT
Mac users are sometimes seen as an easy target by cybercriminals. This is because Apple users have a false sense of security when it comes to their machines, thinking they are practically impenetrable by malware. This mindset has caused quite a few Apple users a fair bit of headaches. The Coldroot RAT is a Remote Access Trojan, which has been built to target OSX, Windows, and Linux.
Table of Contents
The Project
The first time that the Coldroot RAT was noticed was on a security scan service online. The creators of the Coldroot RAT have a YouTube channel where they state that their project is going to be available on the market for anyone willing to pay. They even have an official website, and it seems that the Coldroot RAT has been in the works since 2016. Despite the promises on the YouTube channel, the Coldroot RAT is still not available publicly, which has led some specialists to be convinced that the creators of this threat may have abandoned the project altogether.
Written in Pascal
The authors of the Coldroot RAT have written this cunning threat in Pascal. Despite this language being regarded as rather old, it is not yet obsolete and can be used to create some very potent malware. This is because threats written in Pascal can target Windows, OSX and Linux. Users who do not update their OSX will be vulnerable to the Coldroot RAT particularly. This Remote Access Trojan targets vulnerabilities in some older version of OSX, and through them, it can plant a keylogger on the Mac.
When the Coldroot RAT Infects a Mac
The Coldroot RAT registers an OSX component called 'com.apple.audio.driver' - a simple trick to impersonate a legitimate audio service. The fake component is then registered as a new LaunchDaemon that will give the threat persistence. This is done to stay under the radar of the victim. Then, the Coldroot RAT will establish a connection with the C&C (Command & Control) server of its authors and will register the newly infected machine. By doing this, the Coldroot RAT feeds the C&C information about the infiltrated system:
- OSX version.
- Computer architecture.
- Status of the Web camera.
- Username.
The Coldroot RAT does not have a too impressive list of capabilities. However, they can still cause significant damage to the victim. The Coldroot RAT is capable of:
- Uploading files from the C&C server.
- Downloading files from Websites.
- Starting a remote desktop session.
- Browsing through processes.
- Initiating processes.
- Ending processes.
- Detecting active windows.
- Browsing directories.
- Changing the names of files.
- Deleting files.
- Executing remote commands.
- Collecting Web browser login credentials.
- Collecting keystrokes.
- Restarting the compromised system.
- Shutting down the compromised system.
Whether your system is running Windows, Linux, or OSX, you have to stay wary of the Coldroot RAT. Make sure you download and install a genuine anti-virus suite, which will protect your system from threats like the Coldroot RAT.
