Customers of Chinese language immediate messaging apps like DingTalk and WeChat are the goal of an Apple macOS model of a backdoor named HZ RAT.
The artifacts “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan mentioned.
HZ RAT was first documented by German cybersecurity firm DCSO in November 2022, with the malware distributed through self-extracting zip archives or malicious RTF paperwork presumably constructed utilizing the Royal Highway RTF weaponizer.
The assault chains involving RTF paperwork are engineered to deploy the Home windows model of the malware that is executed on the compromised host by exploiting a years-old Microsoft Workplace flaw within the Equation Editor (CVE-2017-11882).
The second distribution methodology, alternatively, masquerades as an installer for legit software program akin to OpenVPN, PuTTYgen, or EasyConnect, that along with really putting in the lure program, additionally executes a Visible Primary Script (VBS) accountable for launching the RAT.
The capabilities of HZ RAT are pretty easy in that it connects to a command-and-control (C2) server to obtain additional directions. This consists of executing PowerShell instructions and scripts, writing arbitrary recordsdata to the system, importing recordsdata to the server, and sending heartbeat data.
Given the restricted performance of the instrument, it is suspected that the malware is primarily used for credential harvesting and system reconnaissance actions.
Proof exhibits that the primary iterations of the malware have been detected within the wild way back to June 2020. The marketing campaign itself, per DCSO, is believed to be lively since not less than October 2020.
The newest pattern uncovered by Kaspersky, uploaded to VirusTotal in July 2023, impersonates OpenVPN Join (“OpenVPNConnect.pkg”) that, as soon as began, establishes contact with a C2 server specified within the backdoor to run 4 primary instructions which are much like that of its Home windows counterpart –
- Execute shell instructions (e.g., system data, native IP handle, record of put in apps, information from DingTalk, Google Password Supervisor, and WeChat)
- Write a file to disk
- Ship a file to the C2 server
- Test a sufferer’s availability
“The malware attempts to obtain the victim’s WeChatID, email and phone number from WeChat,” Puzan mentioned. “As for DingTalk, attackers are interested in more detailed victim data: Name of the organization and department where the user works, username, corporate email address, [and] phone number.”
Additional evaluation of the assault infrastructure has revealed that just about all the C2 servers are situated in China barring two, that are primarily based within the U.S. and the Netherlands.
On high of that, the ZIP archive containing the macOS set up bundle (“OpenVPNConnect.zip”) is claimed to have been beforehand downloaded from a website belonging to a Chinese language online game developer named miHoYo, which is understood for Genshin Impression and Honkai.
It is presently not clear how the file was uploaded to the area in query (“vpn.mihoyo[.]com”) and if the server was compromised sooner or later previously. It is also undetermined how widespread the marketing campaign is, however the truth that the backdoor is being put to make use of even in any case these years factors to some extent of success.
“The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active,” Puzan mentioned. “the malware was only collecting user data, but it could later be used to move laterally across the victim’s network, as suggested by the presence of private IP addresses in some samples.”