Coldroot is a remote access trojan first discovered in 2016 when its code was posted on GitHub. Although the code is readily available for download, the malware has gone unnoticed by anti-virus scan engines. Originally the RAT appeared to be created as a joke to "Play with Mac users" but has since expanded to work on Linux, MacOS, and Windows operating systems. When it first became publicaly available as an open source RAT in 2016, it remained anonymous and was never used in any major cybercrime operations. In February 2018, Digita Security reported that the Coldroot RAT had entered active distribution. Different from the 2016 GitHub version, the new Coldroot was discovered in a faux Apple audio driver. When opened, the Apple audio driver document, which appears as com.apple.audio.driver2.app, prompts for the user’s credentials. If the user enters their credentials, the malware installs and contacts its command and control server to await further instructions. For MacOS, the malware then modifies the privacy database which lets it interact with system components to carry out malicious tasks. Each time the system is restarted, the trojan will persist on the computer with full system access. Once a device is infected, the malware can spawn new remote desktop sessions, take screen captures and assemble them into a live stream of the affected desktop, start and kill processes on the target system, and can search, download, upload, and execute files.
- Technical details from Digita Security is available here.