If you are a MacOS user and you think that MacOS can’t be infected with virus and hacked then this post is just for you.
Apprently new malware is targeting MacOS systems prior to MacOS High Sierra . Cybersecurity researchers from Digita Security have discovered this malware called Coldroot that has not been detected by antivirus programs. This Mac malware is a RAT(random access Trojan) which was present on Dark Web and its source was present on GitHub in 2016.
The researcher from Digita security identified it as a “full-featured, currently undetected” malware that was sold by its suspected author Coldzer0 on the Dark Web from January 1, 2017. Coldzer0 also posted a video showing that one can use it to point to MacOS, Linux and Windows based systems. Coldzer0 also offered customers information on malware customization methods.
What makes this malware dangerous that it is able to evade antivirus software and can get root by exploiting operating system privacy database TCC.db. The RAT appears as an illegitimate Apple audio driver called “com.apple.audio.driver2.app” online. Once the user clicks on it, a pop-up message appears that looks like a normal authentication message. Request the user’s MacOS credentials. When provided, Coldroot modifies the TCC.db privacy database, allowing the malware to access keylogging in the system.
The malware manages to remain on the infected system by installing itself as a launching demon. Also, the code starts automatically each time the infected computer is turned on.
The malware is capable of taking screenshots, starting and ending processes, searching and uploading files, starting a remote desktop session and shutting down the operating system remotely. It is not clear if the recent version of Coldroot is the same as it was loaded two years ago or if it is a modified version of that malware.
Apple has thwarted this attack as in new OS like MacOS High Sierra, privacy database the TCC.db of the system is protected through System Integrity Protection (SIP). Now the best thing to stay protected, is to change to the latest version of the operating system.