Customers of Chinese language prompt messaging apps like DingTalk and WeChat are the goal of an Apple macOS model of a backdoor named HZ RAT.
The artifacts “nearly precisely replicate the performance of the Home windows model of the backdoor and differ solely within the payload, which is acquired within the type of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan stated.
HZ RAT was first documented by German cybersecurity firm DCSO in November 2022, with the malware distributed through self-extracting zip archives or malicious RTF paperwork presumably constructed utilizing the Royal Highway RTF weaponizer.
The assault chains involving RTF paperwork are engineered to deploy the Home windows model of the malware that is executed on the compromised host by exploiting a years-old Microsoft Workplace flaw within the Equation Editor (CVE-2017-11882).
The second distribution methodology, alternatively, masquerades as an installer for official software program corresponding to OpenVPN, PuTTYgen, or EasyConnect, that along with really putting in the lure program, additionally executes a Visible Primary Script (VBS) accountable for launching the RAT.
The capabilities of HZ RAT are pretty easy in that it connects to a command-and-control (C2) server to obtain additional directions. This contains executing PowerShell instructions and scripts, writing arbitrary recordsdata to the system, importing recordsdata to the server, and sending heartbeat info.
Given the restricted performance of the device, it is suspected that the malware is primarily used for credential harvesting and system reconnaissance actions.
Proof exhibits that the primary iterations of the malware have been detected within the wild way back to June 2020. The marketing campaign itself, per DCSO, is believed to be energetic since no less than October 2020.
The newest pattern uncovered by Kaspersky, uploaded to VirusTotal in July 2023, impersonates OpenVPN Join (“OpenVPNConnect.pkg”) that, as soon as began, establishes contact with a C2 server specified within the backdoor to run 4 primary instructions which can be much like that of its Home windows counterpart –
- Execute shell instructions (e.g., system info, native IP deal with, checklist of put in apps, information from DingTalk, Google Password Supervisor, and WeChat)
- Write a file to disk
- Ship a file to the C2 server
- Verify a sufferer’s availability
“The malware makes an attempt to acquire the sufferer’s WeChatID, e-mail and cellphone quantity from WeChat,” Puzan stated. “As for DingTalk, attackers are considering extra detailed sufferer information: Identify of the group and division the place the consumer works, username, company e-mail deal with, [and] cellphone quantity.”
Additional evaluation of the assault infrastructure has revealed that just about all the C2 servers are positioned in China barring two, that are based mostly within the U.S. and the Netherlands.
On high of that, the ZIP archive containing the macOS set up package deal (“OpenVPNConnect.zip”) is alleged to have been beforehand downloaded from a website belonging to a Chinese language online game developer named miHoYo, which is understood for Genshin Impression and Honkai.
It is at present not clear how the file was uploaded to the area in query (“vpn.mihoyo[.]com”) and if the server was compromised sooner or later prior to now. It is also undetermined how widespread the marketing campaign is, however the truth that the backdoor is being put to make use of even in spite of everything these years factors to some extent of success.
“The macOS model of HZ Rat we discovered exhibits that the risk actors behind the earlier assaults are nonetheless energetic,” Puzan stated. “the malware was solely gathering consumer information, but it surely might later be used to maneuver laterally throughout the sufferer’s community, as urged by the presence of personal IP addresses in some samples.”
