Anti-virus software vendors accused of failing to protect Mac users from Coldroot Trojan

Coldroot Trojan has been in circulation for at least a year - possibly longer

Security researchers have warned users that they could fall victim to a Trojan capable of compromising anti-virus software that targets MacOS-based devices.

According to Digita Security chief technology officer Patrick Wardle, anti-virus software vendors have failed to include signatures to detect a potent Trojan that has been increasing in complexity for years.

He said that the Coldroot RAT (remote access trojan) has been compromising devices for years but that security software vendors do not appear to have been unaware of the danger it presented.

The Trojan is predominantly targeting MacOS devices, although Wardle warned that it could potentially be used against other operating systems too.

The Trojan can be used to install keystroke-loggers on MacOS systems in a bid to obtain passwords and banking details, particularly credit-card numbers.

Wardle published his findings in a technical post on Saturday. He believes that cyber criminals have been selling access to the malware since January 2017.

There is also evidence indicating that some versions of the malware have been circulating on GitHub for two years, meaning that not only is it widely known about, but that the anti-virus software vendors could have incorporated signatures into their security suites.

In his report, Wardle spoke about a "a vulnerability I found in all recent versions of MacOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogs".

He continued: "Though reported and now patched, it allowed one to do things like dump passwords from the keychain or bypass High Sierra's 'Secure Kext Loading' - in a manner that was invisible to the user."

Wardle added that attackers have been using the Trojan to tweak the operating system's privacy database. By doing this, they were able to alter the accessibility rights.

"With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging)," he said.

"By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user."

The Trojan was also able to change the TCC.db database, which could hand even more rights to an attacker.

However, MacOS High Sierra has protections in place to prevent this, meaning that older versions of MacOS are most at risk.

He added: "Behind the scenes, the application will automatically beacon out to a server.

"While creating a network connection is itself not inherently malicious, it is a common tactic used by malware - specifically to check in with a command and control server for tasking," Wardle notes.

"When the malware receives a command from the server to start a remote desktop session, it spawns a new thread named: ‘REMOTEDESKTOPTHREAD'.

"This basically sits in a while loop (until the ‘stop remote desktop' command is issued), taking and ‘streaming' screen captures of the user's desktop to the remote attacker."