An Apple macOS backdoor called HZ RAT targets users of Chinese instant messaging apps like WeChat and DingTalk.
HZ RAT, an Apple macOS backdoor, targets users of Chinese instant messaging programs such as DingTalk and WeChat. According to Kaspersky researcher Sergey Puzan, the artifacts “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server.” German cybersecurity firm DCSO first discovered HZ RAT in November 2022. The malware was spread using malicious RTF documents or self-extracting zip archives, which were most likely created with the Royal Road RTF weaponizer.
Attack chains utilizing RTF documents are designed to take advantage of a long-standing Microsoft Office vulnerability in Equation Editor (CVE-2017-11882) to distribute the Windows variant of the malware, which is then run on the affected host. On the other hand, the second distribution method installs the luring program by pretending to be an installer for reputable programs like OpenVPN, PuTTYgen, or EasyConnect. This installer also runs a Visual Basic Script (VBS) that initiates the RAT. HZ RAT may communicate with a command-and-control (C2) server to obtain more instructions, which is a pretty basic use case for its capabilities. This includes writing arbitrary files to the machine, uploading files to the server, transmitting heartbeat data, and running PowerShell scripts and instructions.
It is believed that the malware is mostly used for system reconnaissance and credential harvesting due to the tool’s restricted functionality. There is evidence that the malware’s initial versions were discovered in the wild as early as June 2020. According to DCSO, the effort has reportedly been underway since at least October 2020.
The most recent Kaspersky sample was discovered in July 2023 and submitted to VirusTotal. It poses as OpenVPN Connect (“OpenVPNConnect.pkg”), which, when launched, connects to the C2 server mentioned in the backdoor to execute four simple commands that are identical to those of its Windows equivalent: Run shell commands to access various data sources, such as DingTalk, WeChat, Google Password Manager, installed programs, and system information. Create a file on the drive. File transmission to the C2 server Verify the availability of a victim.
According to Puzan, the malware tries to get the victim’s WeChatID, email address, and phone number from WeChat. “As for DingTalk, attackers are interested in more detailed victim data: Name of the organization and department where the user works, username, corporate email address, [and] phone number.”With the exception of two servers that are domiciled in the United States and the Netherlands, nearly all of the C2 servers in the assault infrastructure are located in China, according to additional analysis. Furthermore, it is claimed that the ZIP archive holding the macOS installation package (“OpenVPNConnect.zip”) was previously downloaded from a website owned by miHoYo, a Chinese video game developer best known for Honkai and Genshin Impact.
Currently, it’s unclear how the file was submitted to the aforementioned domain (“vpn.mihoyo[.]com”) and whether the server has ever been compromised. The campaign’s extent is also unknown, but the fact that the backdoor is still being used after all these years suggests that it was somewhat successful. “The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active,” stated Puzan. “During the investigation, the malware was only collecting user data, but it could later be used to move laterally across the victim’s network, as suggested by the presence of private IP addresses in some samples.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
