Skip to main content
  1. Home
  2. Blog
  3. Jamf protects against oRAT malware
Jamf Blog
May 10, 2022 by Jamf Threat Labs

Jamf protects against oRAT malware

Security

Trend Micro researchers recently documented a new piece of malware by an APT threat actor named Earth Berberokawhich targets gambling websites.

Threat: oRAT

Affects: A new macOS malware variant was recently discovered by Trend Micro researchers, dubbed oRAT. This malware has been attributed to a new APT group that targets gambling sites. oRAT malware was developed using the Go language and is capable of infecting Windows and macOS.

Prevented by:Jamf Protect threat prevention blocks the execution of this malware.

IOCs:

 SHA1 Hashes 26ccf50a6c120cd7ad6b0d810aca509948c8cd78 - UPX packed 9b4717505d8d165b0b12c6e2b9cc4f58ee8095a6 - unpacked 911895ed27ee290bea47bca3e208f1b302e98648 - preinstall script 
Malicious URLs (as published by Trend Micro):
 
 In-the-Wild URLs https://d[.]github.wiki/mac/darwinx64 https://mmimdown[.]oss-cn-hongkong.aliyuncs.com/mac/mmchat-1.1.6.3.dmg ---------- Domains 1.googie[.]ph  12371829hkdanm[.]fbi.am  139[.]5.202.82  149[.]28.31.166  1qw6etagydbn2peifj8hf[.]fbi.am  2.googie[.]ph  3.googie[.]ph  42[.]200.181.116  45[.]76.199.119  45[.]77.22.215  adobe-flash[.]wiki  adobe[.]name  agph[.]ivi66.net  bos[.]github.wiki  caonimade[.]11i.me  d[.]github.wiki  darknet[.]rootkit.tools  darwin[.]github.wiki  download[.]mircrosoftscoulds.com  dust[.]github.wiki  exmail[.]googie.com.ph  fbi[.]fuckbc.com  flash[.]wy886066.com  fuckeryoumm[.]nmb.bet  fuckyou[.]fbi.am  gb[.]googie.ph  helloword[.]11i.me  helloword[.]daj8.me  hk.whoamis[.]info  hkdust[.]github.wiki  huaidan[.]fbi.am  linux[.]daj8.me  linux[.]daji8.me  linux[.]shopingchina.net  linux[.]wy01.com  linux[.]wy01.vip  linux1[.]shopingchina.net  linux2[.]shopingchina.net  list[.]whoamis.info  localhost[.]11i.me  mail[.]whoamis.info  mmimdown[.]oss-cn-hongkong.aliyuncs.com  mmr[.]whoamis.info  poer[.]whoamis.info  rc[.]dajuw.com  rootkit[.]tools  shopingchina[.]net  steam[.]dajuw.com  test[.]mircrosoftscoulds.com  tools[.]daji8.me  update[.]adobe.wiki  win[.]googie.ph  wmgnews[.]daji8.me  wps[.]daj8.me  wpsup[.]daj8.me  www[.]adobe.name  www[.]whoamis.info  yabo[.]googie.ph

Don't get bitten by 'oRAT', secure your endpoints to stop the threat before it infests your environment.

Contact Jamf or your preferred representative to begin your trial of Jamf Protect today.

Request Trial
Previous Blog Post:
 Prev
 What is Jamf Threat Labs? Blog Homepage
 Next Blog Post:
 Next
 NukeSped malware a dud, thanks to Jamf Protect
Related Resources
Blog

Jamf Threat Labs identifies Safari vulnerability allowing for Gatekeeper bypass

Read More
Blog

What is Jamf Threat Labs?

Read More
Product Documentation

Jamf Protect Overview

Read More
Browse Blog
by Category:
Jamf Pro (420) Enterprise (391) Education (308) Jamf Nation User Conference (239) Security (155) Jamf Now (93) Healthcare (83) Jamf Protect (77)
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.