Chinese macOS users who use the DingTalk and WeChat apps to communicate with others are being targeted by new information-stealing malware, experts warn.
Cybersecurity researchers at Kaspersky have analyzed a new malware sample recently uploaded to VirusTotal. They found that hackers have used a well-known infostealer called HZ RAT for macOS.
HZ RAT has been around for almost half a decade (since 2020), but was first identified by German cybersecurity outlet DCSO in late 2022. For an infostealer, HZ RAT is relatively rudimentary and unsophisticated. It can connect to a command & control (C2) server, execute PowerShell commands and scripts, write arbitrary files to the target system, upload files, and transmit system information.
Chinese C2 servers
The Hacker News claims that given its limited functionality, HZ RAT is likely used for credential gathering and system exploration.
Now someone has taken it and made an identical copy, only for macOS. “The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky said.
Another aspect where Windows and macOS versions are similar is how they initially get to the target endpoint. While Windows variants mimicked legitimate software like OpenVPN, PuTTYgen, or EasyConnect, macOS versions so far have been mimicking the OpenVPN Connect client.
The files grabbed with HZ RAT differ depending on the chat app used, Kaspersky further explained: “The malware tries to obtain the victim’s WeChatID, email address and phone number from WeChat,” they said. “As for DingTalk, attackers are interested in more detailed victim data: name of the organization and department where the user works, username, work email address, [and] telephone number.”
While the identity of the attackers is unknown, researchers were able to determine where the C2 infrastructure is located. Most of the servers are located in China, with two in the US and the Netherlands.
Via The Hacker News
