Coldroot Mac Malware Silently Performs System-Wide Keylogging

Coldroot Mac Malware Silently Performs System-Wide Keylogging
Laptop captured by viruses. Conceptual illustration suitable for advertising and promotion

Another day, another malware – This time it targets macOS and it comes with keylogging capabilities.

Security researchers have discovered a malicious new malware strain called Coldroot that remains undetected by all antivirus programs including all on Virustotal since just 18 out of 20 antivirus tools were able to detect it as malicious. This Mac malware is a Random Access Trojan (RAT) that was shared online on Github in 2016 as part of a joke to target Mac users. Ever since 30 March 2016, this RAT has been available freely on Github and even today it is actively distributed.

Coldroot goes undetected

Coldroot is now capable of affecting all main desktop operating systems and can silently gain remote control on a compromised/vulnerable computer. It must be noted that AV firms haven’t yet noticed this malware. The details of Coldroot were revealed publicly by a security researcher and Digita Security’s chief research officer Patrick Wardle.

Wardle identified that it was a “feature complete, currently undetected” malware and was being sold by its suspected author Coldzer0 on the Dark Web since 1 January 2017. He further revealed that Coldzer0 also offered potential customers information about the methods of malware customization. Furthermore, Coldzer0 posted a video stating that the cross-platform Coldroot RAT can be used for targeting MacOS, Linux, and Windows-based systems.

Coldroot’s keylogging capabilities

The malware’s improved recent version was identified initially in an illegitimate Apple audio driver namely “” It is displayed as a document and asks for admin access and then silently installs and communicates with its C&C server for additional instructions. Once the user clicks on it a pop-up message appears that seems like a regular authentication message. It requests for user’s MacOS credentials. When credentials are provided, Coldroot modifies the TCC.db privacy database allowing malware the required accessibility to perform system-wide keylogging.

Coldroot Mac Malware Silently Performs System-Wide Keylogging
This is how keylogging of banking credentials is done through Coldroot (Gif credit: Digital Security)

“It should be noted that if no command or tasking is received from the command & control server, the malware will simply continue beaconing… interestingly, sending the name of the user’s active window in each heartbeat,” writes Wardle.

Moreover, the malware manages to stay into the infected system by installing itself as a launch daemon. This way, the malicious code launches automatically every time the infected computer is turned on.

Coldroot’s capabilities when inside a system

The malware is capable of capturing screenshots, initiate and end processes, search for and upload new files, start a remote desktop session and shut down the operating system remotely. Currently, it is unclear if the recent version of Coldroot is the same that was uploaded around two years back or it is a modified version of that malware. The malware still contains the contact details of its original author, which could be a deliberate attempt to deceive others by someone who picked the malware from Github and modified it with new features.

Wardle stated that the malware may not be able to affect newer operating systems like MacOS High Sierra particular because the system’s TCC.db is protected through System Integrity Protection (SIP). But he believes that the malware’s active distribution shows that hackers are continually trying to target MacOS and to stay protected users of MacOS must switch to the operating system’s latest version.

Image credit: DepositPhotos

Related Posts