forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcoldroot_macos_rat.yml
47 lines (45 loc) · 2.78 KB
/
coldroot_macos_rat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: ColdRoot MacOS RAT
id: bd91a2bc-d20b-4f44-a982-1bea98e86390
version: 1
date: '2019-01-09'
author: Jose Hernandez, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example
of some of these activities are changing sensative binaries in the MacOS sub-system,
detecting process names and executables associated with the RAT, detecting when
a keyboard tab is installed on a MacOS machine and more.
narrative: 'Conventional wisdom holds that Apple''s MacOS operating system is significantly
less vulnerable to attack than Windows machines. While that point is debatable,
it is true that attacks against MacOS systems are much less common. However, this
fact does not mean that Macs are impervious to breaches. To the contrary, research
has shown that that Mac malware is increasing at an alarming rate. According to
AV-test, in 2018, there were 86,865 new MacOS malware variants, up from 27,338 the
year before—a 31% increase. In contrast, the independent research firm found
that new Windows malware had increased from 65.17M to 76.86M during that same period,
less than half the rate of growth. The bottom line is that while the numbers look
a lot smaller than Windows, it''s definitely time to take Mac security more seriously.\
This Analytic Story addresses the ColdRoot remote access trojan (RAT), which was
uploaded to Github in 2016, but was still escaping detection by the first quarter
of 2018, when a new, more feature-rich variant was discovered masquerading as an
Apple audio driver. Among other capabilities, the Pascal-based ColdRoot can heist
passwords from users'' keychains and remotely control infected machines without
detection. In the initial report of his findings, Patrick Wardle, Chief Research
Officer for Digita Security, explained that the new ColdRoot RAT could start and
kill processes on the breached system, spawn new remote-desktop sessions, take screen
captures and assemble them into a live stream of the victim''s desktop, and more.\
Searches in this Analytic Story leverage the capabilities of OSquery to address
ColdRoot detection from several different angles, such as looking for the existence
of associated files and processes, and monitoring for signs of an installed keylogger.'
references:
- https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/
- https://objective-see.com/blog/blog_0x2A.html
- https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/
tags:
analytic_story: ColdRoot MacOS RAT
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection