Jamf protects against oRAT malware

Trend Micro researchers recently documented a new piece of malware by an APT threat actor named Earth Berberokawhich targets gambling websites.

May 10 2022 by

Jamf Threat Labs

Threat: oRAT

Affects: A new macOS malware variant was recently discovered by Trend Micro researchers, dubbed oRAT. This malware has been attributed to a new APT group that targets gambling sites. oRAT malware was developed using the Go language and is capable of infecting Windows and macOS.

Prevented by:Jamf Protect threat prevention blocks the execution of this malware.

IOCs:

 SHA1 Hashes 26ccf50a6c120cd7ad6b0d810aca509948c8cd78 - UPX packed 9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6 - unpacked 911895ed27ee290bea47bca3e208f1b302e98648 - preinstall script 

Malicious URLs (as published by Trend Micro):

 In-the-Wild URLs https://d[.]github.wiki/mac/darwinx64 https://mmimdown[.]oss-cn-hongkong.aliyuncs.com/mac/mmchat-1.1.6.3.dmg ---------- Domains 1.googie[.]ph  12371829hkdanm[.]fbi.am  139[.]5.202.82  149[.]28.31.166  1qw6etagydbn2peifj8hf[.]fbi.am  2.googie[.]ph  3.googie[.]ph  42[.]200.181.116  45[.]76.199.119  45[.]77.22.215  adobe-flash[.]wiki  adobe[.]name  agph[.]ivi66.net  bos[.]github.wiki  caonimade[.]11i.me  d[.]github.wiki  darknet[.]rootkit.tools  darwin[.]github.wiki  download[.]mircrosoftscoulds.com  dust[.]github.wiki  exmail[.]googie.com.ph  fbi[.]fuckbc.com  flash[.]wy886066.com  fuckeryoumm[.]nmb.bet  fuckyou[.]fbi.am  gb[.]googie.ph  helloword[.]11i.me  helloword[.]daj8.me  hk.whoamis[.]info  hkdust[.]github.wiki  huaidan[.]fbi.am  linux[.]daj8.me  linux[.]daji8.me  linux[.]shopingchina.net  linux[.]wy01.com  linux[.]wy01.vip  linux1[.]shopingchina.net  linux2[.]shopingchina.net  list[.]whoamis.info  localhost[.]11i.me  mail[.]whoamis.info  mmimdown[.]oss-cn-hongkong.aliyuncs.com  mmr[.]whoamis.info  poer[.]whoamis.info  rc[.]dajuw.com  rootkit[.]tools  shopingchina[.]net  steam[.]dajuw.com  test[.]mircrosoftscoulds.com  tools[.]daji8.me  update[.]adobe.wiki  win[.]googie.ph  wmgnews[.]daji8.me  wps[.]daj8.me  wpsup[.]daj8.me  www[.]adobe.name  www[.]whoamis.info  yabo[.]googie.ph 

Don't get bitten by 'oRAT', secure your endpoints to stop the threat before it infests your environment.

Contact Jamf or your preferred representative to begin your trial of Jamf Protect today.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.