BlackHoleRAT, a Mac OS X variant of darkComet RAT for Windows, is backdoor Trojan that is still rudimentary in its capabilities, but the malware author promises there's more to come.
Security researchers have discovered a beta version of a new backdoor Trojan
that targets Mac OS X.
SophosLAbs analyzed the sample and determined that the Trojan is actually a
variant of darkComet, a well-known Windows Remote Access Trojan, Chester
Wisniewski, senior security analyst at Sophos, wrote on the NakedSecurity
on Feb. 26. The malware author apparently named it BlackHoleRAT, but
Sophos has dubbed it MusMinim.
A number of security firms predicted the rise of Mac malware in 2011, and
this Trojan is the first new Mac threat this year.
Black Hole is actually the name of a legitimate application that helps users
get rid of potentially sensitive information from the computer, such as
recently used file lists and data left on the clipboard, according to
Wisniewski. The Trojan has nothing to do with that application, he said.
As a Trojan, MusMinim has very basic capabilities, including placing text
files on the desktop; sending a restart, shutdown or sleep command to the
computer; running arbitrary shell commands; and sending URLs to open a Website.
The Trojan can also pop up a fake "Administrator Password" window to
phish the victim's password credentials, Wisniewski said.
Once the Trojan has the password information, the remote attacker has full
administrator privileges on the computer.
RAT malware generally employs a client-server program that communicates with
victims through a Trojan server, according to Italy-based security researcher Methusela Cebrian Ferrer
The server application is installed on the compromised machine, and the client
application is on the remote attacker's system, she said.
The malware author also provided an introductory message for victims in a
full-screen window that can't be closed unless the user clicks on the Reboot
button. "I am a Trojan Horse, so i have infected your Mac Computer,"
the message said.
"I know, most people think Macs can't be infected, but look, you ARE
Infected!" the author wrote in the message. Victims are told the Trojan
has "full control" over the computer to execute any number of
The author also warned that it is a "very new Virus, under Development,
so there will be much more functions when im finished."
The Trojan itself doesn't appear to use any Mac-specific security
vulnerabilities or exploits to infect the computer. Instead, it uses a common
Windows-malware tactic by piggybacking on a downloaded executable. MusMinim likely
is distributed through pirated software downloads, torrent sites or anywhere
users may download an application that would get installed, Wisniewski said.
It may also be able to take advantage of an unpatched vulnerability in the
browser, third-party plug-ins and other applications, he said. There have been
a number of security vulnerabilities discovered in the Safari Web browser
It could be indicative of malware authors beginning to focus on the Mac OS X
as the operating system gains market share and the target audience looks more
lucrative. A number of security vendors have come out with Mac-specific
security products recently, and Apple quietly invited several security
researchers to preview the new Mac OS X Lion and provide security feedback.