Catching the Coldroot RAT

Way back in 1982—two years before the Mac was unveiled—Apple's big seller was a rudimentary PC (at the time, it seemed like the technological equivalent of a spaceship) called the Apple II, which it had introduced in 1977. That was the year that a 15-year-old high-school prankster named Rich Skrenta wrote the "Elk Cloner" virus to infect the computer's boot sector. On every 50th boot, the malware would display the following poem:

Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!


Sweet child that he was, Skrenta requested no ransom, encrypted no files, and inflicted no real damage. Oh, how times (and hackers) have changed. 

But enough reminiscing about the good ol' days. The point is that while today's conventional wisdom holds that Apple's OS is less hackable than those of Windows PCs, the truth is a little more complicated. 

For starters, the data is skewed. More enterprises are powered by Windows Servers than by Mac infrastructure, so Windows makes a more lucrative target. There has also been less focus on Mac security research, so we're not always sure what's out there.

The fact is that Macs are far from impervious to breaches. As of February 22, 2019, independent research firm AV-test had reported 93,221 new OSX

 malware variants in 2018, up from 28,918 the year before—a 222% increase. (For comparison, new Windows malware increased from 56.82M to 67.87M during that same period—a 16% increase, as of February 22, 2019.) So while the number of Mac breaches would lead you to believe that it's not a worrisome problem, it's definitely time to take Mac security more seriously, before it balloons to a Windows-like scale. 

An Analytic Story in the January release of Splunk Enterprise Security Content Update (ESCU) is our first to address an OSX attack technique—in this case, the Coldroot remote access trojan (RAT). This nasty bit of malware was uploaded to Github in 2016, but was still escaping detection by the first quarter of 2018, when a new, more feature-rich variant was discovered masquerading as an Apple audio driver.

You Dirty RAT

Coldroot the remix was markedly more sophisticated than its ancestor.

Amongst its new capabilities:

Searches in the Analytic Story leverage the capabilities of OSquery to address Coldroot detection from several different angles, such as looking for the existence of associated files and processes, as well as monitoring for signs of an installed keylogger. 

The Splunk Security Research Team sleeps better at night when we know you are protected against threats. So download Splunk ESCU version 1.0.34 from Splunkbase today!


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content