{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/coldroot/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["high"],"_cs_tags":["rat","macos","persistence","coldroot"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe Coldroot RAT is a cross-platform backdoor that targets macOS systems. This RAT masquerades as a legitimate Apple audio driver to avoid detection. Discovered in early January 2018, the malware persists on infected systems by installing a launch daemon, ensuring it is automatically restarted after each reboot. The malware beacons out to a command and control (C2) server for tasking, and also functions as a keylogger. It attempts to modify the TCC.db database, but this functionality is thwarted by System Integrity Protection (SIP). This RAT poses a significant threat to macOS users as it can provide unauthorized access to sensitive data and allow attackers to maintain persistent control over compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user downloads a DMG file containing the malicious application bundle, \u003ccode\u003ecom.apple.audio.driver.app\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user executes the application, which prompts for user credentials via a standard authentication prompt.\u003c/li\u003e\n\u003cli\u003eThe malware loads its settings from \u003ccode\u003ecom.apple.audio.driver.app/Contents/MacOS/conx.wol\u003c/code\u003e, which contains C2 information and other configuration.\u003c/li\u003e\n\u003cli\u003eThe malware copies itself to \u003ccode\u003e/private/var/tmp/com.apple.audio.driver.app/Contents/MacOS/com.apple.audio.driver\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware creates a launch daemon plist file at \u003ccode\u003e/Library/LaunchDaemons/com.apple.audio.driver.plist\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware uses \u003ccode\u003e/bin/cp\u003c/code\u003e to install the launch daemon plist.\u003c/li\u003e\n\u003cli\u003eThe malware uses \u003ccode\u003e/bin/launchctl\u003c/code\u003e to launch the newly installed launch daemon.\u003c/li\u003e\n\u003cli\u003eThe malware beacons to the C2 server specified in the \u003ccode\u003econx.wol\u003c/code\u003e file, awaiting further commands, and logs keystrokes to \u003ccode\u003eadobe_logs.log\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection by the Coldroot RAT allows attackers to maintain persistent access to macOS systems. The malware\u0026rsquo;s keylogging capabilities enable attackers to steal credentials and sensitive information. While the malware attempts to modify the TCC.db database, SIP prevents this action. However, the persistent access and data theft capabilities still pose a significant risk. The number of victims and specific sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process executions for the use of \u003ccode\u003e/bin/cp\u003c/code\u003e and \u003ccode\u003e/bin/launchctl\u003c/code\u003e to install launch daemons, as highlighted in the attack chain. Deploy the \u003ccode\u003eDetect Coldroot Launch Daemon Installation\u003c/code\u003e Sigma rule to detect this behavior.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the C2 server IP address \u003ccode\u003e45.77.49.118\u003c/code\u003e listed in the IOC table and block the domain at the firewall.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for \u003ccode\u003e/Library/LaunchDaemons/com.apple.audio.driver.plist\u003c/code\u003e to detect unauthorized modifications of launch daemons. Deploy the \u003ccode\u003eDetect Coldroot Launch Daemon File Creation\u003c/code\u003e Sigma rule to detect the creation of this launch daemon.\u003c/li\u003e\n\u003cli\u003eScan systems for files matching the SHA256 hash \u003ccode\u003ec20980d3971923a0795662420063528a43dd533d07565eb4639ee8c0ccb77fdf\u003c/code\u003e to identify potentially infected machines.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:10:00Z","date_published":"2024-01-03T18:10:00Z","id":"/briefs/2024-01-coldroot-rat/","summary":"The Coldroot RAT is a cross-platform backdoor targeting macOS systems, providing remote attackers persistent access through a launch daemon, masquerading as an Apple audio driver, and beaconing to a command and control server.","title":"Coldroot RAT Targeting macOS","url":"https://feed.craftedsignal.io/briefs/2024-01-coldroot-rat/"}],"language":"en","title":"CraftedSignal Threat Feed — Coldroot","version":"https://jsonfeed.org/version/1.1"}