To follow up on our post last Friday, I was contacted by the author of the DarkComet RAT Trojan. He seemed quite upset that I suggested the new Mac OS X Trojan BlackHole RAT was related to his Windows creation.
D-RATS includes the ability to send free-form text and fixed-form text as well as the ability to receive APRS/DPRS type position reports. DSTARUsers.org is the original D-STAR site. It provides the Last Heard list and also has a database of D-STAR repeaters. Mac OS X Leopard/Snow Leopard, or many flavors of Linux. MacSpy: OS X Mac RAT as a Service. June 9, 2017 Peter Ewane. MacSpy is advertised as the 'most sophisticated Mac spyware ever”, with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X. News: Deadly Lungworm Parasite Spread by Rats & Snails Is More Prevalent Than We Thought How To: Get the Public Beta Preview of Mac OS X 10.11 El Capitan How To: Dual Boot Mac OS X 10.11 El Capitan & 10.10 Yosemite How To: Download OS X 10.11 El Capitan on Your Mac. Fabrication custom built frames by Mac's Ratz of Adel, Iowa. Mac's Hot Rod V8 Trikes! For more information and kit prices. FOR SALE V8 Trike SBC Chopper Springer SBC $8,900.00. FOR SALE 1929 Model A Sedan just finished Super, Super nice car Call for Price. FOR SALE 1937 Ford Rat Rod Frame Kit - Box Kit Combo $3,392.00. Future project truck.
While the BlackHole RAT Trojan seems to be copying the behavior of DarkComet, the lack of functionality and the unsophisticated user interface clearly offended the author, who felt it was necessary to set the record straight.
To make a point, DarkComet’s author acknowledges that he is developing his own Mac OS X Trojan, called DarkCometX, that is not yet finished. He provided the following screenshot.
Learning of two Mac OS X Trojans in less than a week was, admittedly, a bit of a surprise. Technically, in and of itself, writing a Trojan is not illegal. It’s all in what you do with it.
Looking at the code and descriptions, though, I think it is clear what the authors expect you to do with their “products.”
BlackHole RAT includes text saying things like
'I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!'
and
'So, Im a very new Virus, under Development, so there will be much more functions when im finished.'
This hardly sounds like a legal use to me.
Likewise, DarkComet RAT’s author states “This software allow you to make hundreds of functions stealthly and remotely without any kind of autorisation in the remote process.” and references the term “Bot Shell” in his Mac OS X development build.
Some folks provided feedback that I had used the acronym RAT incorrectly, saying it stands for Remote Access Tool, not Remote Access Trojan. While the authors would like you to believe they are simply tools, I think the evidence suggests Trojan is more appropriate.
If you are interested in what you can do to protect your Mac, check out Ben Jupp’s Mac OS X security tips part 1, part 2 and part 3 and download our free Sophos Anti-Virus for Mac Home Edition.
Creative Commons image of Rat Fink courtesy of Jennifer Ennis’s Flickr photostream.
RAT for Mac?
When there’s too much RAT (Remote Administration Tool) available for Windows, people wonder if there’s good and useful RAT for Mac as well.
The search and discussions about this topic goes on and on; at one point an online poll favored to continue the development:
A useful description of RATs that works in OSX can be found here.
The most recent/updated development is HellRaiser version 4.2, coded by DCHKG an Underground Mac Programming Team.
HellRaiser includes a configuration component, where the remote controller can specify the server parameters.
The server component is the application distributed to target OS X user. It requires manual execution to install and enable the server to run in background (hidden from dock). Once successful, the server component (or the slave) will report back to the master as shown below.
This is the same version that Intego recently discovered in-the-wild disguised as iPhoto installer.
How would I know if HellRaiser server is installed/running?Rat For Mac Os X 10.10
option 1: You may open network utility and activity monitor (/Applications/Utilities/) and kill the process.Rat Mac Os X
option 2: You may open terminal, and type lsof -i (this will list running processes and its matching network/internet connection). Search dubious name and internet connection, take note of the PID, and in terminal type kill -9 <PID>(this will kill the process).Rat For Mac Os X 10.13
If you’re using Mac security scanner, then it’s best time to check for signature update! (most vendors detects this as OSX HellRTS)
