Meet Coldroot, a nasty Mac trojan that went undetected for years

“A Mac malware that can silently, remotely control a vulnerable computer and steal passwords from a user’s keychain has gone largely unnoticed by antivirus makers for two years — even though the code is readily available to download,” Zack Whittaker writes for ZDNet.

“Patrick Wardle, chief research officer at Digita Security, revealed in a blog post Tuesday details of Coldroot, a remote access trojan,” Whittaker writes. “After tearing down the malware in a new analysis, he found that none of the antivirus makers listed on online malware scanner VirusTotal were able to detect the malware at the time of his research — even though its code was published in 2016.”

“The malware masquerades as a document, which when opened, presents a prompt for the user’s password. In the hope that a user will naively enter their credentials, the malware will silently install and contact its command and control server to await instructions from an attacker,” Whittaker writes. “Apple patched against the malware in macOS Sierra by protecting the database with system integrity protection, which won’t automatically grant the malware accessibility rights — even with a user’s password.”

Read more in the full article here.

MacDailyNews Take: Coldroot has obviously already been dealt with by Apple some 17 months ago.


  1. Don’t get me wrong…I absolutely despise the b@stards who are preying on the naive, ignorant, and technologically challenged. Fortunately for my family, my mother does not use a computer or any type of smart device. So, despite her unfortunate and heartbreaking cognitive decline, we only have to police her regular mail for scam materials masquerading as bills or the parade of requests for money. It would be far tougher to keep her safe from scammers on the internet.

    However, I also believe in personal responsibility. Aside from the people who, like my mother, face cognitive challenges, people who are using technology need to be sufficiently conversant with the tools that they are employing to protect themselves from drive-by scams like Coldroot. None of my kids, for instance, would take a second look at such a pitiful scam attempt – delete and goodbye! People cannot be mentally lazy and expect others to protect them from every eventuality.

    1. Without going into a diatribe, I’ll point out the single most important question to ask any computer user:

      Q: Where’s your backup?

      If a computer user does not have a backup, they should NOT be using a computer. That includes all ‘smart’ devices. Apple kindly provide a backup method, for free, for all their devices. If a user isn’t using them or simply doesn’t know about them, they’re either a newbie or what is sadly described as a “LUSER” by the computer community. Such people require education about the most basic aspects of computing in order to not be a danger to themselves, their computers and the entire Internet.

      This isn’t a cruel opinion. It’s a fact of computing. Keep in mind that we continue to live in what I call The Dark Age of Computing. It’s NOT a user-friendly world out there on the Internet. It’s a place of consistent and constant computer security danger. Would that this dark age would end. Would that everyone was a computer and gizmo savvy as those of us who work in the field.

      1. Excellent, except I do insist on multiple backups.

        The biggest problem that all internet users face is that a new slippery bit of code that no one knows about (NSA anyone) can infect the best protected and maintained piece of hardware & we will not have a chance in hell of finding it any time soon.

        When we do find & remove it, there is no way to truly guarantee it can not reinstall itself later from some hidden folder or whatever.

        1. I agree regarding multiple backups. But seeing as we’re attempting to help people unready or unable to comprehend the basic rules of using a computer, having even ONE backup is a blessing.

          Regarding the restoration of a system from a backup, I deliberately avoided going into such brain entangling complexity. At least a ‘LUSER’ can hire someone to figure that out for them. Unless they’re a business with some cash, they CAN’T hire anyone to make backups for them. It’s DIY or die.

          And as we always must point out, ALL computer drives DIE EVENTUALLY. No backup? You deserve what you get. It’s that basic.

      2. Keep two HW backups of my main desktop Mac.

        One is a 4 bay ProDrive that is used for Time Machine Backups on one drive and backs up my Media Library on the other 3.

        I have a second SSD that I keep disconnected that is a mirror of the main Bootable drive. About once a month I connect it after a full system scan and clone the HD. In the event of a catastrophic failure of HW or corruption of the booth drive, I can plug it in to another Mac and boot off of it.

        Finally, I have a collection of DVD media that has complete backup of my documents- to include photos and home video. It is stored offsite in a Safe Deposit Box.

        Not paranoid, but things can happen. An old friend of mine (back to the 6th Grade and we are in our 50’s) was out of town on vacation when his house burned to the ground and he lost everything- paper and digital- and had no backup copies. Imagine losing all your financial records, all your documents and everything else.

        1. Sorry, no. I’m not bothering with High Sierra until Apple actually finishes it. That is to say, the Apple File System (APFS) isn’t ready for Prime Time. Why Apple shoves it, without asking the user, onto SSD drives and conventional hard drives at this point is beyond my comprehension. Why there’s no APFS for Fusion drives is beyond my comprehension. There used to be in the first 10.13 beta! APFS is another Apple Blunder®™ IMHO. When Apple actually finish APFS I’ll care.

          Note that I was a champion for ZFS on Mac from way back and Apple bungled that even worse. At least APFS is mostly equivalent to ZFS. But I’d think they’d FINISH IT before FOISTING IT. Very naughty.

  2. Patrick Wardle is a Mac security elf, well worth following in the field. Keeping track of what he’s up to can be a bit daunting as he has at least half-a-dozen outlets where he posts his work, including his own security company, Objective-See.

    From what I’m reading, we don’t yet know if this Trojan malware was ever let loose in the wild. We know it has been offered for sale, which is typical of RATs, Remote Administration Tools. The initial sale date was the start of 2017. We know it was designed to work on Windows, Mac and Linux, depending upon a purchasing hacker’s choice. We know it included a key logger.

    Patrick says:

    In this blog post we provided a comprehensive technical analysis of the macOS agent of the cross-platform RAT OSX/Coldroot. Though not particularly sophisticated, it’s rather ‘feature complete’ and currently undetected all AV-engines on VirusTotal. Moreover, it is a good illustrative example that hackers continue to target macOS!

    And remember if you want to stay safe, running the latest version of macOS will definitely help! For one, (due to a bug in UPX?) the OS refuses to even run the malware…

    As to why none of the commercial or free anti-malware apps can detect it: (A) These developers aren’t making adequate use of VirusTotal, a core public site for uploading and testing potential malware. (B) The anti-malware community continues to be un-scientific by nature. Yes, that’s an insult, one I’ve been pointing out for over 10 years in my writing about Mac security. Patrick and a few other investigators are exceptional.

    Apple did NOT specifically provide protection against Coldroot RAT. What they did do was provide protection for an aspect of macOS that has been vulnerable and exploitable in earlier versions than Sierra. In other words, Apple has enacted a protection mechanism that stops ‘cold’ any malware attempting to hack in to the OS using the methods employed by Coldroot RAT.

    My Conclusion:
    This malware is just a curiosity. It’s an illustration of excellent investigative techniques and of the vicious malware being created to attack and surveil ALL common contemporary computer platforms. It also points out that Apple continues to ‘harden’ macOS against modern malware methods of attack and that their efforts are paying off. It’s entirely possible that Coldroot RAT never showed up in the wilderness of Mac users because it was essentially inert on most Macs right out of the gate.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.