Jamf protects against oRAT malware

Threat: oRAT

Affects: A new macOS malware variant was recently discovered by Trend Micro researchers, dubbed oRAT. This malware has been attributed to a new APT group that targets gambling sites. oRAT malware was developed using the Go language and is capable of infecting Windows and macOS.

Prevented by:Jamf Protect threat prevention blocks the execution of this malware.

IOCs:

 SHA1 Hashes 26ccf50a6c120cd7ad6b0d810aca509948c8cd78 - UPX packed 9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6 - unpacked 911895ed27ee290bea47bca3e208f1b302e98648 - preinstall script 
Malicious URLs (as published by Trend Micro):
 
 In-the-Wild URLs https://d[.]github.wiki/mac/darwinx64 https://mmimdown[.]oss-cn-hongkong.aliyuncs.com/mac/mmchat-1.1.6.3.dmg ---------- Domains 1.googie[.]ph  12371829hkdanm[.]fbi.am  139[.]5.202.82  149[.]28.31.166  1qw6etagydbn2peifj8hf[.]fbi.am  2.googie[.]ph  3.googie[.]ph  42[.]200.181.116  45[.]76.199.119  45[.]77.22.215  adobe-flash[.]wiki  adobe[.]name  agph[.]ivi66.net  bos[.]github.wiki  caonimade[.]11i.me  d[.]github.wiki  darknet[.]rootkit.tools  darwin[.]github.wiki  download[.]mircrosoftscoulds.com  dust[.]github.wiki  exmail[.]googie.com.ph  fbi[.]fuckbc.com  flash[.]wy886066.com  fuckeryoumm[.]nmb.bet  fuckyou[.]fbi.am  gb[.]googie.ph  helloword[.]11i.me  helloword[.]daj8.me  hk.whoamis[.]info  hkdust[.]github.wiki  huaidan[.]fbi.am  linux[.]daj8.me  linux[.]daji8.me  linux[.]shopingchina.net  linux[.]wy01.com  linux[.]wy01.vip  linux1[.]shopingchina.net  linux2[.]shopingchina.net  list[.]whoamis.info  localhost[.]11i.me  mail[.]whoamis.info  mmimdown[.]oss-cn-hongkong.aliyuncs.com  mmr[.]whoamis.info  poer[.]whoamis.info  rc[.]dajuw.com  rootkit[.]tools  shopingchina[.]net  steam[.]dajuw.com  test[.]mircrosoftscoulds.com  tools[.]daji8.me  update[.]adobe.wiki  win[.]googie.ph  wmgnews[.]daji8.me  wps[.]daj8.me  wpsup[.]daj8.me  www[.]adobe.name  www[.]whoamis.info  yabo[.]googie.ph