Everything Cold is New Again
Coldroot, a new strain of macOS malware that's eluded detection for more than a year has a keylogger and can gain persistence with root privileges.
For malware authors, Windows is and always has been where the action is, but the last few years have seen an uptick in the volume of malware targeting macOS. Most of the variants that go after Mac users aren’t as well known or prevalent as their Windows relations, but that doesn’t mean they can’t do their share of damage.
Patrick Wardle, a researcher who spends a lot of time building Mac security tools and looking at malicious behavior on the platform, recently came across a piece of macOS malware that apparently has been floating around for more than a year but has avoided any kind of detection by anti-malware tools. Known as Coldroot, the malware has a wide range of capabilities, including keylogging, and can burrow into an infected system and gain persistence with root privileges.
Coldroot disguises itself as an audio driver for macOS and after it’s installed and a user clicks on the app icon, the malware immediately demands the user’s credentials. That’s typical behavior for apps that want to modify the system in some way, but after Coldroot grabs the credentials, there’s no other visible indication that anything is going on, which isn’t normal.
“Behind the scenes the application persists itself as a launch daemon. This is a common method employed by malware to ensure that it is automatically (re)started every time an infected system is rebooted,” Wardle said in his analysis of the malware.
“Again, behind the scenes, the application will automatically beacon out to a server. While creating a network connection is itself not inherently malicious, it is a common tactic used by malware - specifically to check in with a command & control server for tasking.”
Weirdly, Coldroot was written in Pascal, a language that predates the founding of Apple itself by several years. Wardle noted that this may have been done in order to make Coldroot work across platforms. Coldroot also uses a technique that Wardle has been researching, which involves apps trying to modify TCC.db, which is a special privacy database in macOS. That database has a list of apps that are granted accessibility rights, and Coldroot tries to modify it.
“With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user,” Wardle said.
Apple engineers have taken notice of this technique and newer versions of macOS include a feature that protects the database. However, Wardle said older Macs could still be vulnerable, and Coldroot will be able to take advantage of that.
“Besides persistently installing itself as a launch daemon, the '_INSTALLMEIN_$$_INSTALL' function also attempts to provide the malware with accessibility rights (so that it may perform system-wide keylogging). In order to gain such rights the malware first creates the /private/var/db/.AccessibilityAPIEnabled file and then modifies the privacy database TCC.db. The former affords accessibility rights on older versions of macOS,” Wardle said.
Once Coldroot has those rights, it has full root access and persistence on the machine. Digging through the code Wardle found some references to the author’s handle, and then discovered an explanatory video that details the malware’s functionality and shows that it will work on Windows, Mac, and Linux.