BlackHole RAT Trojan targets Mac OS X

SophosLabs has reportedly identified a modified variant of the infamous darkComet Remote Access Trojan (RAT) that appears to target systems running Mac OS X.

Although BlackHole RAT is not yet ready for deployment, the OS X version of the nefarious Trojan could be indicative of more underground programmers taking note of Apple’s increasing market share.

According to Sophos senior security advisor Chester Wisniewski, the Mac OS X variant is “very basic,” with a mix of German and English in the user interface. 

Functions include:

  • Placing text files on the desktop.
  • Sending a restart, shutdown or sleep command.
  • Running arbitrary shell commands.
  • Placing a full screen window with a message that only allows you to click reboot.
  • Sending URLs to the client to open a website.
  • Popping up a fake “Administrator Password” window to phish the target.

An excerpt from the default text that is displayed in the full screen window with the reboot button reads:

“I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can’t be infected, but look, you ARE Infected!

“I have full control over your Computer and i can do everything I want, and you can do nothing to prevent it. So, Im a very new Virus, under Development, so there will be much more functions when im finished.”

As Wisniewski notes, Trojans like BlackHole RAT are frequently distributed via pirated software downloads and torrent sites.

“[Of course], it could also be dropped by a vulnerability in your browser, plugins and other applications.

“[As such], patching [with anti-virus protection and security updates] is an important part of protection on all platforms,” he added.