Undetectablenremote Access Trojan For Mac
Remote Access Trojans let attackers use your Mac like they're sitting right in front of it. Don't become a victim of this spooky, unnerving attack. Security experts have uncovered a malicious strain of malware dubbed 'Coldroot' that is still undetectable by most antivirus software despite being uploaded to GitHub nearly two years ago.
Earlier this month, the Office of Personnel Management reported that 21.5 million Americans had their social security numbers and other sensitive data stolen in. In the wake of this massive breach, OPM Director Katherine Archuleta has resigned. It’s believed that the Sakula Remote Access Trojan (RAT) was associated with this attack. RATs are very common and designed to provide the attacker with complete control over the victim's system. They can be used to steal sensitive information, to spy on victims, and remotely control infected computers.
RAT infections are typically carried out via spear phishing and social engineering attacks. Most are hidden inside heavily packed binaries that are dropped in the later stages of the malware’s payload execution. Although RATs have been a mainstay in cyber attackers’ tool kits for some time, they continue to be very challenging to detect for the following reasons: • They open legitimate network ports on the infected machines. Since this is a very common operation, it appears benign to most security products. • They mimic legitimate commercial remote administration tools. • They perform very surgical operations that do not resemble common malware techniques. Here’s a rundown of seven of the most common RATs in use today: RAT 1: Sakula is believed to be associated with the recent OPM attack.
It is signed, looks like benign software, and provides the attacker with remote administration capabilities over the victim machine. Sakula initiates simple HTTP requests when communicating with its command and control (C&C) server. The RAT uses a tool called “mimkatz” to perform “pass the hash” authentication, which sends the hash to the remote server instead of the associated plaintext password. RAT 2: KjW0rm is believed to be associated with the recent breach of TV stations in France. KjW0rm was written in VBS, which makes it even harder to detect. The Trojan creates a backdoor that allows the attacker to take control of the machine, extract information, and send it back to the C&C server. (For more information about KjW0rm read.) RAT 3: Havex targets industrial control systems (ICS).
It is very sophisticated and provides the attacker with full control over the infected machine. Havex uses different variants (mutations) and is very stealthy. The communication with its C&C server is established over HTTP and HTTPS. Its footprint inside the victim machine is minimal.
RAT 4: A gent.BTZ/ComRat is one of the most notorious and well known RATs. Believed to be developed by the Russian government to target ICS networks in Europe, Agent.BTZ (also known as Uroburos) propagates via phishing attacks. It uses advanced encryption to protect itself from analysis, provides full administration capabilities over the infected machine, and sends extracted sensitive information back to its C&C server. Agent.BTZ uses advanced anti-analysis and forensic techniques. RAT 5: Dark Comet provides comprehensive administration capabilities over the infected machine.
It was first identified in 2011 and still infects thousands of computers without being detected. Dark Comet uses Crypters to hide it existence from antivirus tools. It performs several malicious administrative tasks such as: disabling Task Manager, Windows Firewall, and Windows UAC. RAT 6: AlienSpy targets Apple OS X platforms. OS X only uses traditional protection such as antivirus. AlienSpy collects system information, activates webcams, establishes secure connections with the C&C server, and provides full control over the victim machine. The RAT also uses anti-analysis techniques such as detecting the presence of virtual machines.