Coldroot RAT Targeting macOS

The Coldroot RAT is a cross-platform backdoor that targets macOS systems. This RAT masquerades as a legitimate Apple audio driver to avoid detection. Discovered in early January 2018, the malware persists on infected systems by installing a launch daemon, ensuring it is automatically restarted after each reboot. The malware beacons out to a command and control (C2) server for tasking, and also functions as a keylogger. It attempts to modify the TCC.db database, but this functionality is thwarted by System Integrity Protection (SIP). This RAT poses a significant threat to macOS users as it can provide unauthorized access to sensitive data and allow attackers to maintain persistent control over compromised systems.

Attack Chain

1. The user downloads a DMG file containing the malicious application bundle, com.apple.audio.driver.app.
2. The user executes the application, which prompts for user credentials via a standard authentication prompt.
3. The malware loads its settings from com.apple.audio.driver.app/Contents/MacOS/conx.wol, which contains C2 information and other configuration.
4. The malware copies itself to /private/var/tmp/com.apple.audio.driver.app/Contents/MacOS/com.apple.audio.driver.
5. The malware creates a launch daemon plist file at /Library/LaunchDaemons/com.apple.audio.driver.plist.
6. The malware uses /bin/cp to install the launch daemon plist.
7. The malware uses /bin/launchctl to launch the newly installed launch daemon.
8. The malware beacons to the C2 server specified in the conx.wol file, awaiting further commands, and logs keystrokes to adobe_logs.log.

Impact

Successful infection by the Coldroot RAT allows attackers to maintain persistent access to macOS systems. The malware’s keylogging capabilities enable attackers to steal credentials and sensitive information. While the malware attempts to modify the TCC.db database, SIP prevents this action. However, the persistent access and data theft capabilities still pose a significant risk. The number of victims and specific sectors targeted are currently unknown.

Recommendation

• Monitor process executions for the use of /bin/cp and /bin/launchctl to install launch daemons, as highlighted in the attack chain. Deploy the Detect Coldroot Launch Daemon Installation Sigma rule to detect this behavior.
• Monitor network connections to the C2 server IP address 45.77.49.118 listed in the IOC table and block the domain at the firewall.
• Implement file integrity monitoring for /Library/LaunchDaemons/com.apple.audio.driver.plist to detect unauthorized modifications of launch daemons. Deploy the Detect Coldroot Launch Daemon File Creation Sigma rule to detect the creation of this launch daemon.
• Scan systems for files matching the SHA256 hash c20980d3971923a0795662420063528a43dd533d07565eb4639ee8c0ccb77fdf to identify potentially infected machines.