5/16/2023 0 Comments Digital cryptocurrency ticker rrt![]() When executed, the malware will try to copy itself to /usr/var/mediagrs.jar if it has permissions, and in case it fails will copy to %HOME%/Library/mediamgrs.jarThe malware creates LaunchAgent “$HOME/Library/LaunchAgents/ist” for persistence on the infected machine. If macros are enabled, a malicious code will be executed to download and infect the system. The infection vector is through a malicious document that arrives in a phishing campaign. There are signs that imply that the malware was developed by/for the Dark Caracal APT group. Tearing Apart the Undetected (OSX)Coldroot RATĬrossRAT is a cross platform malware written in Java, targeting Windows, Linux and MacOS.In addition it will modify the system security database file TCC.db to add itself as Accessibility application, meaning it will then have the ability to control the computer. The malware keep its configuration within a file in its application bundle (“MacOS/conx.wol”). It will create a LaunchDaemon in order to persist system reboot (“/Library/LaunchDaemons/.plist”). Once executed, the malware will try to get root access via popping a window asking the user for credentials. – KeyloggingThe malicious application arrives with a normal “document” icon, so a user might think he is opening a document rather than a malicious application. – Gain accessibility rights by modifying TCC.db ![]() The malware is weaponized with a wide range of commands such as:- File/Folders control (move, reanme, delete)
0 Comments
Leave a Reply. |