Threat: oRAT
Affects: A new macOS malware variant was recently discovered by Trend Micro researchers, dubbed oRAT. This malware has been attributed to a new APT group that targets gambling sites. oRAT malware was developed using the Go language and is capable of infecting Windows and macOS.
Prevented by:Jamf Protect threat prevention blocks the execution of this malware.
IOCs:
SHA1 Hashes
26ccf50a6c120cd7ad6b0d810aca509948c8cd78 - UPX packed
9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6 - unpacked
911895ed27ee290bea47bca3e208f1b302e98648 - preinstall script
Malicious URLs (as published by Trend Micro):
In-the-Wild URLs
https://d[.]github.wiki/mac/darwinx64
https://mmimdown[.]oss-cn-hongkong.aliyuncs.com/mac/mmchat-1.1.6.3.dmg
----------
Domains
1.googie[.]ph
12371829hkdanm[.]fbi.am
139[.]5.202.82
149[.]28.31.166
1qw6etagydbn2peifj8hf[.]fbi.am
2.googie[.]ph
3.googie[.]ph
42[.]200.181.116
45[.]76.199.119
45[.]77.22.215
adobe-flash[.]wiki
adobe[.]name
agph[.]ivi66.net
bos[.]github.wiki
caonimade[.]11i.me
d[.]github.wiki
darknet[.]rootkit.tools
darwin[.]github.wiki
download[.]mircrosoftscoulds.com
dust[.]github.wiki
exmail[.]googie.com.ph
fbi[.]fuckbc.com
flash[.]wy886066.com
fuckeryoumm[.]nmb.bet
fuckyou[.]fbi.am
gb[.]googie.ph
helloword[.]11i.me
helloword[.]daj8.me
hk.whoamis[.]info
hkdust[.]github.wiki
huaidan[.]fbi.am
linux[.]daj8.me
linux[.]daji8.me
linux[.]shopingchina.net
linux[.]wy01.com
linux[.]wy01.vip
linux1[.]shopingchina.net
linux2[.]shopingchina.net
list[.]whoamis.info
localhost[.]11i.me
mail[.]whoamis.info
mmimdown[.]oss-cn-hongkong.aliyuncs.com
mmr[.]whoamis.info
poer[.]whoamis.info
rc[.]dajuw.com
rootkit[.]tools
shopingchina[.]net
steam[.]dajuw.com
test[.]mircrosoftscoulds.com
tools[.]daji8.me
update[.]adobe.wiki
win[.]googie.ph
wmgnews[.]daji8.me
wps[.]daj8.me
wpsup[.]daj8.me
www[.]adobe.name
www[.]whoamis.info
yabo[.]googie.ph
Don't get bitten by 'oRAT', secure your endpoints to stop the threat before it infests your environment.
Contact Jamf or your preferred representative to begin your trial of Jamf Protect today.