- Mac OS X
- Last updated:
- 03/03/18 5:23 am
- Threat Level:
Coldroot is a Trojan horse. The malware is cross-platform, meaning that it can affect Windows, Linux, and macOS operating systems. It was first discovered in 2018, though subsequent investigation found that it had been available for sale on underground sites since 2017. In addition, earlier, less feature-rich versions of the malware had been distributed on GitHub since 2016.
Coldroot for macOS comes disguised as an audio device driver, in a file named “com.apple.audio.driver.app”. If launched, the malware displays a prompt asking the user to enter their credentials and give permission for the app to make system changes. If the user does this, Coldroot immediately installs a launch daemon in order to achieve persistence — the ability to survive and relaunch after reboots. It also modifies the macOS privacy database (TCC.db) to give itself system-wide keylogging permissions. The malware then contacts a remote command and control server owned by the hacker, and awaits instructions. At each launch, Coldroot turns on its keylogging functionality (which allows it to capture sensitive data like login credentials), and checks in with its command and control server so that it can execute any commands given to it by the malicious actor.
In addition to keylogging, Coldroot is able to read, alter, or delete files and directories; execute or kill system processes; perform uploads and downloads; create a remote desktop connection and take screenshots of the system; or shut down the system entirely.
Since macOS 10.13 High Sierra, Apple has protected the TCC.db privacy database via System Integrity Protection (SIP), so Coldroot should not be able to gain keylogging capabilities on newer OS versions. Users running older OSes, however, would still be at risk of having their credentials stolen.
Coldroot Threat Removal
MacScan can detect and remove Coldroot Malware from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat.