Coldroot RAT Still Undetectable by most AVs Despite Being Uploaded on GitHub Two Years Ago

[LASER_oneXM]

Coldroot, a remote access trojan (RAT), is still undetectable by most antivirus engines, despite being uploaded and freely available on GitHub for almost two years.

The RAT appears to have been created as a joke, "to Play with Mac users," and "give Mac it's rights in this [the RAT] field," but has since expanded to work all three major desktop operating systems — Linux, macOS, and Windows— according to a screenshot of its builder extracted from a promotional YouTube video.

But despite being open-sourced in 2016, the RAT remained in anonymity, never being at the center of major cybercrime operations. Unfortunately, things appear to have changed in the meantime, and the RAT has now entered active distribution.

Coldroot RAT found in fake Apple audio driver package
Patrick Wardle, a Mac expert with Digita Security, has recently stumbled on a new version of the Coldroot RAT, which he broke down in a technical teardown here.

Wardle says this new version of the Coldroot RAT that he discovered in a faux Apple audio driver is different from the old version posted on GitHub in 2016.

But artifacts he found by analyzing the fake Apple audio driver matched the modus operandi and technical details included in the old Coldroot RAT GitHub code, suggesting the two were very likely connected, if not the same.