In June 2024, cybersecurity researchers from Kaspersky identified a new macOS version of the HZ Rat backdoor, marking the first time this malware has been observed targeting macOS users.
The backdoor was found attacking users of the enterprise messaging platform DingTalk and the popular social network WeChat. This development follows previous discoveries of the HZ Rat backdoor targeting Windows systems.
First detected in late 2022 by DCSO researchers, the HZ Rat backdoor is known for receiving commands from attackers, initially via PowerShell scripts on Windows. The newly discovered macOS variant behaves similarly but receives payloads as shell scripts from a command-and-control (C2) server.
While the exact method of infection remains unclear, researchers uncovered an installation package disguised as a legitimate OpenVPN application. The malware’s payload allows it to establish a connection to C2 servers, including some that use private IP addresses, indicating a potential focus on specific targets. The backdoor gathers extensive data from victims, including information from DingTalk and WeChat, such as corporate details, contact information, and user credentials.
Most of the C2 servers identified were located in China, with a few exceptions in the U.S. and the Netherlands. The presence of private IP addresses in some samples suggests that the malware could be used for lateral movement within a network, potentially laying the groundwork for further attacks.
The researchers said the macOS version of HZ Rat they found makes it clear that the malicious actors behind the previous attacks are still active. “During the investigation, the malware was only collecting user data, but it could later be used to move laterally across the victim’s network, as suggested by the presence of private IP addresses in some samples.”
Moreover, they said the data collected about victims’ organizations and contact information could be used to spy on individuals of interest and lay the foundations for future attacks.
At the time of the study, the researchers said they had not encountered the use of two of the backdoor commands (write file to disk and send file to server), so the full scope of the malefactors’ intentions remains unclear.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.