On February 14th, 2018, a new variant of an OS X RAT called “EvilOSX” has appeared on Github.

A RAT (Remote Access Trojan) is a type of malware designed to control the infected system remotely. With 21 code changes in the 9 days since its initial release, it appears to be under active development. EvilOSX is not a very complicated RAT, and thanks to the new variant’s author putting the source up on Github it should be easy to deal with as well.


The feature that the author seems most proud of is their attempts at avoiding AV detection. When pushing the code change to the repository, author Marten4n6 left the comment “Shoutout to the guys trying to make anti-virus detect this, there goes your detection again. . .”

This anti-virus dodging code is accomplished by using a specific script for building the malware with two sections of code dedicated to changing the hash of the malware each time it is built, even without code changes. The first section is the simplest. It generates a random set of characters to be placed near the top of the script in a comment so functionality is not affected. The second, more complicated portion uses base64 to encode the script, then a tool called openssl to encrypt the contents. By doing this, different malicious actors distributing EvilOSX will have different file hashes which anti-virus applications often rely upon to detect known malware. Neither of these methods will stop anyone from being able to analyze the contents, though, as all information needed to decrypt the contents had to be written in the script for it to decrypt itself.

Other features include persistent installation, an extendable module system for other developers to add new functionality, the ability to steal passwords from Chrome, retrieving browser histories, file management between the server and infected machine, local privilege escalation via CVE-2015-5889 (OS X 10.9.5 to 10.10.5), the “slowloris” denial of service, and a few other information gathering features.

At the time of this writing, there does not appear to be a way to issue commands to all infected machines. Although it included denial of service capabilities, any threat of a distributed attack is minimal without further updates.