BlackHole RAT Evolves Again: New Variant Found

Posted on by

Intego has discovered a new variant of the BlackHole RAT which we discussed in February. While the main principles of the tool – a remote administration tool – remain the same, it includes a backdoor, called, and a keylogger, called It also adds these two latter elements to a user’s Login Items. The full toolkit is installed in a folder named .JavaUpdater; this folder is normally invisible, at least in the Finder, as are all items whose names begin with a period.

The RAT also installs a video capture tool, available from a “normal” website – ie., not a hacker module – which can be eventually used to capture video from an iSight camera. All of these modules are written in RealBasic, a portable, cross-platform language that creates executables using a runtime.

For now, the risk is still very low. Malicious users need access to Macs to install this software, either by physically accessing a Mac, or by accessing it over a network. It is recommended to use a firewall, to prevent such network attacks, such as that found in Intego VirusBarrier X6.