BlackHole RAT 2 Trojan Horse for Mac OS X Discovered

Posted: March 31st, 2011
Updated: April 3rd, 2011

Security Risk: Low

UPDATE: As predicted by the SecureMac team, the new version of BlackHole RAT 2 was officially released on a hacker message board this weekend, with some slight differences from the earlier version analyzed by SecureMac. The trojan horse, once installed, disguises itself as a Java Updater. In addition, the author is now referring to the trojan as Freeze RAT, but it contains much of the same code as BlackHole Rat 2.0a. The new version has a more complicated installation process that requires physical access to the computer, so SecureMac continues to rate this as a low threat.

SecureMac has discovered a new version of BlackHole RAT trojan horse as labeled by the hacker as 2.0 for Mac OS X. This new version should not be confused with an older variant already detected back in February by SecureMac as BlackHole RAT 1.0c that has recently been in the news called OSX/BlackHoleRAT.B.

Upon first release of BlackHole RAT 1.0, SecureMac identified three variants of the trojan horse, including one disguised as Apple’s Safari web browser. At that time, it was noted that the trojan horse appeared to be a work-in-progress, and that further variants would probably appear in the future.

SecureMac’s prediction proved to be correct, as there is a brand new version of the trojan horse currently being passed around on hacker message boards. This new version of the trojan horse is substantially different than previous variants, and is described as version 2.0 by the hacker who created it.

The new version of the trojan horse adds itself as a login item disguised as Java, has a more believable prompt for username and password, slows down the computer by tying up the CPU with a loop function, executes shell commands, and can attempt to erase the hard drive.

In the version analyzed by SecureMac, the author states that the trojan horse is unstable, but an upcoming version will improve stability. It appears that development of this program is ongoing, and the author recently posted to a hacker message board that the new version has been completed and is currently in testing, so we expect that it will soon be distributed in a more widespread fashion.

This new version of the trojan horse is detected by MacScan as “BlackHole RAT 2.0a” in the spyware definitions update released on March 31st, 2011.

The original SecureMac security bulletin about BlackHole RAT 1.0 trojan horse can be found here: https://www.securemac.com/blackholerat-bulletin.php

About MacScan

MacScan quickly detects, isolates and removes malware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later.

Since 1999, SecureMac has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.