A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang.
The campaign delivering the backdoor started since at least November 2023 and is still underway distributing newer variants of the malware.
Written in Rust, the malware can run on Intel-based and ARM architectures, say researchers at cybersecurity company Bitdefender, who are tracking it as RustDoor.
While analyzing RustDoor, malware researchers at Bitdefender discovered that the malware communicated with four command and control servers.
While encryptors for the macOS system exist, builds for Apple M1 from LockBit created before December 2022, there are no public reports at this time of ransomware attacking Apple's operating system.
Most operations target Windows and Linux systems as enterprise environments use servers running these operating systems.
RustDoor is distributed primarily as an updater for Visual Studio for Mac, Microsoft's integrated development environment for the macOS platform, which will be discontinued this year on August 31.
According to Bitdefender, the malware has been under active distribution and have been undetected for at least three months.
The researchers discovered three versions of the malware, which come as FAT binaries that include Mach-O files for both x86 64 Intel and ARM architectures but do not come bundled in typical parent files such as Application Bundles or Disk Image.
In a report this week, the researchers say that RustDoor has commands to control the compromised system and to exfiltrate data, and it can persist on the device by modifying system files.
After infecting a system, the malware communicates with command and control servers using specific endpoints for registration, task execution, and data exfiltration.
Ps: Lists running processes, useful for monitoring system activity.
Cd: Changes the current directory, allowing navigation through the file system.
Mkdir: Creates a new directory, useful for organizing stolen data or malware components.
Rm: Removes files, potentially for deleting important files or cleaning up traces of the malware.
Botkill: Terminates other malware processes, possibly to eliminate competition or free system resources.
Taskkill: Ends specified processes, useful for stopping security software or other processes interfering with malware.
Download: Retrieves files from a remote server, used for bringing additional malware components or updates onto the infected system.
The backdoor uses Cron jobs and LaunchAgents to schedule its execution at specific times or when the user logs in, thus making sure it survives system reboots.
It modifies the ~/.zshrc file to execute in new terminal sessions or add it to the Dock with system commands, which helps it blend in with legitimate applications and user activities.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 09 Feb 2024 15:55:11 +0000