Threat: oRAT
Affects: A new macOS malware variant was recently discovered by Trend Micro researchers, dubbed oRAT. This malware has been attributed to a new APT group that targets gambling sites. oRAT malware was developed using the Go language and is capable of infecting Windows and macOS.
Prevented by:Jamf Protect threat prevention blocks the execution of this malware.
IOCs:
SHA1 Hashes
26ccf50a6c120cd7ad6b0d810aca509948c8cd78 - UPX packed
9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6 - unpacked
911895ed27ee290bea47bca3e208f1b302e98648 - preinstall script
Malicious URLs (as published by Trend Micro):
In-the-Wild URLs
https://d[.]github.wiki/mac/darwinx64
https://mmimdown[.]oss-cn-hongkong.aliyuncs.com/mac/mmchat-1.1.6.3.dmg
----------
Domains
1.googie[.]ph
12371829hkdanm[.]fbi.am
139[.]5.202.82
149[.]28.31.166
1qw6etagydbn2peifj8hf[.]fbi.am
2.googie[.]ph
3.googie[.]ph
42[.]200.181.116
45[.]76.199.119
45[.]77.22.215
adobe-flash[.]wiki
adobe[.]name
agph[.]ivi66.net
bos[.]github.wiki
caonimade[.]11i.me
d[.]github.wiki
darknet[.]rootkit.tools
darwin[.]github.wiki
download[.]mircrosoftscoulds.com
dust[.]github.wiki
exmail[.]googie.com.ph
fbi[.]fuckbc.com
flash[.]wy886066.com
fuckeryoumm[.]nmb.bet
fuckyou[.]fbi.am
gb[.]googie.ph
helloword[.]11i.me
helloword[.]daj8.me
hk.whoamis[.]info
hkdust[.]github.wiki
huaidan[.]fbi.am
linux[.]daj8.me
linux[.]daji8.me
linux[.]shopingchina.net
linux[.]wy01.com
linux[.]wy01.vip
linux1[.]shopingchina.net
linux2[.]shopingchina.net
list[.]whoamis.info
localhost[.]11i.me
mail[.]whoamis.info
mmimdown[.]oss-cn-hongkong.aliyuncs.com
mmr[.]whoamis.info
poer[.]whoamis.info
rc[.]dajuw.com
rootkit[.]tools
shopingchina[.]net
steam[.]dajuw.com
test[.]mircrosoftscoulds.com
tools[.]daji8.me
update[.]adobe.wiki
win[.]googie.ph
wmgnews[.]daji8.me
wps[.]daj8.me
wpsup[.]daj8.me
www[.]adobe.name
www[.]whoamis.info
yabo[.]googie.ph
Don't get bitten by 'oRAT', secure your endpoints to stop the threat before it infests your environment.
Contact Jamf or your preferred representative to begin your trial of Jamf Protect today.
Subscribe to the Jamf Blog
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.
Tags: