A group of researchers from the cybersecurity company bitdefender has identified a new ‘malware’ targeting users with MacOS computers. This malware is able to steal files through a backdoor and is distributed posing as a Microsoft Visual Studio code program update.
This new backdoor is part of a previously undocumented malware family and shows a possible link to a group of Windows ‘ransomware’. The backdoor, referred to as Trojan.MAC.RustDoor, specifically targets macOS users and is written in Rust, a relatively new programming language in the malware ecosystem. Rust offers cybercriminals advantages when it comes to evading attack detection and analysis.
The malware can be used to steal specific files or file types, as well as archive them and upload them to the command and control center (C&C) for malicious actors to access. The researchers observed that this malware campaign has been active since at least November of last year and has been running undetected for at least three months.
In order to distribute itself, this malware spoofs an update to Microsoft’s Visual Studio program and uses file names such as ‘VisualStudioUpdater’, ‘DO_NOT_RUN_ChromeUpdates’, or ‘zshrc2’. The files are displayed as Binary FAT, meaning they can run on multiple types of processors based on Intel (x86_64) and ARM (Apple Silicon) architectures.
The researchers have identified various versions of this malware and found commands that allow cybercriminals to collect and upload files, as well as obtain information about the device itself where the backdoor is being carried out. The malware campaign cannot be attributed to any known threat actor at the moment, but it shows similarities with the ‘ransomware’ ALPHV/BlackCat, which also uses the Rust programming language and common domains for command and control infrastructure servers.
Three of the four command and control servers used in this malware have been associated with previous ransomware campaigns targeting Windows customers. This indicates a possible connection between the MacOS malware and the Windows ransomware campaigns.