Customers of Chinese language prompt messaging apps like DingTalk and WeChat are the goal of an Apple macOS model of a backdoor named HZ RAT.
The artifacts “nearly precisely replicate the performance of the Home windows model of the backdoor and differ solely within the payload, which is acquired within the type of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan mentioned.
HZ RAT was first documented by German cybersecurity firm DCSO in November 2022, with the malware distributed through self-extracting zip archives or malicious RTF paperwork presumably constructed utilizing the Royal Street RTF weaponizer.
The assault chains involving RTF paperwork are engineered to deploy the Home windows model of the malware that is executed on the compromised host by exploiting a years-old Microsoft Workplace flaw within the Equation Editor (CVE-2017-11882).
The second distribution technique, alternatively, masquerades as an installer for official software program reminiscent of OpenVPN, PuTTYgen, or EasyConnect that, along with really putting in the lure program, additionally executes a Visible Fundamental Script (VBS) accountable for launching the RAT.
The capabilities of HZ RAT are pretty easy in that it connects to a command-and-control (C2) server to obtain additional directions. This contains executing PowerShell instructions and scripts, writing arbitrary information to the system, importing information to the server, and sending heartbeat info.
Given the restricted performance of the software, it is suspected that the malware is primarily used for credential harvesting and system reconnaissance actions.
Proof reveals that the primary iterations of the malware have been detected within the wild way back to June 2020. The marketing campaign itself, per DCSO, is believed to be energetic since not less than October 2020.
The newest pattern uncovered by Kaspersky, uploaded to VirusTotal in July 2023, impersonates OpenVPN Join (“OpenVPNConnect.pkg”), which, upon beginning, establishes contact with a C2 server specified within the backdoor to run 4 primary instructions which might be much like that of its Home windows counterpart –
- Execute shell instructions (e.g., system info, native IP tackle, listing of put in apps, knowledge from DingTalk, Google Password Supervisor, and WeChat)
- Write a file to disk
- Ship a file to the C2 server
- Test a sufferer’s availability
“The malware makes an attempt to acquire the sufferer’s WeChatID, e-mail, and cellphone quantity from WeChat,” Puzan mentioned. “As for DingTalk, attackers are desirous about extra detailed sufferer knowledge: Identify of the group and division the place the person works, username, company e-mail tackle, [and] cellphone quantity.”
Additional evaluation of the assault infrastructure has revealed that nearly all the C2 servers are positioned in China barring two, that are based mostly within the U.S. and the Netherlands.
On prime of that, the ZIP archive containing the macOS set up package deal (“OpenVPNConnect.zip”) is alleged to have been beforehand downloaded from a website belonging to a Chinese language online game developer named miHoYo, which is thought for Genshin Impression and Honkai.
It is at present not clear how the file was uploaded to the area in query (“vpn.mihoyo[.]com”) and if the server was compromised sooner or later up to now. It is also undetermined how widespread the marketing campaign is, however the truth that the backdoor is being put to make use of even in any case these years factors to a point of success.
“The macOS model of HZ Rat we discovered reveals that the menace actors behind the earlier assaults are nonetheless energetic,” Puzan mentioned. “Throughout the investigation, the malware was solely amassing person knowledge, however it may later be used to maneuver laterally throughout the sufferer’s community, as advised by the presence of personal IP addresses in some samples.”
