X-Industry

Bitdefender researchers have discovered a new backdoor targeting Mac OS users.  This previously undocumented family of malware is written in Rust and includes several interesting features.  While the investigation is ongoing, we’re sending out this alert to share indicators of compromise with the community. Bitdefender products identify this threat as Trojan.MAC.RustDoor.*.

Here’s what we know so far:  Distribution - The backdoor seems to impersonate a Visual Studio update, and all identified files are distributed directly as FAT binaries with Mach-O files for both x86_64 Intel and ARM architectures.  None of the files have any other parents (Application Bundles, Disk images). Some of the identified samples are under the following names:

• zshrc2
• Previewers
• VisualStudioUpdater
• VisualStudioUpdater_Patch
• VisualStudioUpdating
• visualstudioupdate
• DO_NOT_RUN_ChromeUpdates

Analysts were able to trace the first samples back to early November 2023.  The freshest sample was spotted on 2 Feburary2024, indicating the malware has been operating undetected for at least three months.[1]

Versions and capabilities - This backdoor seems to have multiple variants. While most of the samples share the same core functionalities (with minor variations), we split these samples into Variant 1, 2 and Zero, as documented below.  The files’ source code is written in Rust, and analysis of the binaries reveals the names of the original source files. Rust's syntax and semantics differ from those of  more common languages like C or Python, making it harder for security researchers to analyze and detect malicious code.  This can give malware authors an advantage in evading detection and analysis.

Variant 1 source files

Variant 2 source files

All samples we analysed contain the backdoor functionality, with the following list of supported commands:

• ps
• shell
• cd
• mkdir
• rm
• rmdir
• sleep
• upload
• botkill
• dialog
• taskkill
• download

These commands allow the malware to gather and upload files, and gather information about the machine, as highlighted by the following arguments used in conjunction with the sysctl command:

• cpu.vendor
• cpu.brand_string
• osproductversion
• cpufrequency

The information extracted with the sysctl command, as well as the output of two other commands (pwd and hostname) are then submitted to the Register endpoint of the C&C server to receive a Victim ID.   This Victim ID will be then used in the rest of communication between the C&C and backdoor.

Communication with the C2 servers is performed using the following endpoints:

• POST /gateway/register: called when the file is executed and has the purpose of receiving an ID from the C2. The payload sent to the server contains 3 fields: hostname, os_version(the macOS version, ex: 13.6.4) and pwd (the current directory)
• POST /gateway/report: called regularly at short timeintervals and the payload sent to the server containsonly one field, the idwith the value received as response from the /gateway/registercall
• /gateway/task: used to exchange information about the tasks executed on the compromised machine
• /tasks/upload_file:used to exfiltrate files

Currently, the C2 servers are answering with {“detail”: “Not found”}

Variant 1 - This variant, first seen on 22 November 2023, seems to be a testing version, as shown by the embedded plist file (which is copy-pasted from a public write-up describing persistence mechanisms and sandbox evasion techniques for macOS).  Another possible clue is the name of the plist file (test.plist).  Although this embedded plist is meant to ensure persistence using LaunchAgents, the configuration does not include a field for this persistence method (only for persistence using cronjobs or inserting the application in the Dock bar), as seen in the second variant.

The variant 1 samples also contain an embedded JSON configuration, which is described in deeper detail in the Persistence section.

Variant 2 - The files belonging to this second Variant were first seen on 30 November 2023 and are slightly larger than their counterparts in version one, at around 4-5MB.  This variant seems to be an upgraded version of the malware, that now contains a complex JSON configuration as well as an embedded Apple script used for exfiltration.

The embedded Apple script – Analysts identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration

The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as the notes of the user, stored in SQLITE format at the following location: /Users/<user>/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite

Multiple strings containing the targeted extensions were also identified inside the binaries: txt, rtf, doc, xls, xlsx, png, pdf, pem, asc, ppk, rdp, zip, sql, ovpn, kdbx , conf, key, json

After all files are copied to the destination hidden folder, they are compressed into a ZIP archive (which has the name <username>_home.zip) and sent to the C2 server

The configuration options - The configuration options seem to include  a list of applications to be impersonated, with the purpose of spoofing the administrator password using a dialog, customized with different messages:

Some configurations also include specific instructions about what data to collect, such as the maximum size and maximum number of files, as well as lists of targeted extensions and directories, or directories to  exclude:

The first part of the configuration suggests there are multiple ways to achieve persistence, as documented in the Persistence  section.

Variant Zero - Variant Zero seems to be the earliest one, and was first seen on 02.11.2023.  Given the fact that it is presumably the original one, it is less complex than the other ones.  While it has the backdoor functionality, the apple script and embedded configuration are absent.

Persistence - As previously mentioned, the first two variants contain embedded JSON configurations that highlight multiple persistence mechanisms employed by this family, through fields like lock_in_cron, lock_in_launch, lock_in_dock or lock_in_rc.  
If the first two methods are quite common in recent malware families, the last two are not so popular.

lock_in_cron - Persistence using cronjobs

lock_in_launch - Persistence using LaunchAgents, causing the binary to be executed every time the user logs in. The path of the LaunchAgent is passed as parameter to the launchctl load –w <path_to_plist_file> command, which loads and starts the job, which will also restart on future logins.

.plist file created for persistence (

lock_in_rc - Persistence achieved by modifying the ~/.zshrc file, which is used to execute the binary every time a new ZSH session is opened.

lock_in_dock - Persistence achieved by adding the binary to the dock.  This is done using the command defaults write com.apple.dock persistent-apps -array-add. which modifies the com.apple.dock file (located in ~/Library/Preferences folder).  After modifying the file, the command killall Dock is executed to restart the Dock and apply the changes.

Possible link with notorious Windows ransomware groups - While the current information on Trojan.MAC.RustDoor is not enough to confidently attribute this campaign to a specific threat actor, artifacts and IoCs suggest a possible relationship with the BlackBasta and (ALPHV/BlackCat) ransomware operators.  Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients.  ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model.

Indicators of Compromise - Currently known indicators of compromise can be found below. Bitdefender Threat Intelligence customers can access enriched, contextual insights about this attack. The ThreatID BDapx7qeon in the Bitdefender IntelliZone portal includes additional TTPs and visualizations. For more information about Bitdefender Threat Intelligence solution visit our product page.

Binaries

6dd3a3e4951d34446fe1a5c7cdf39754 (VisualStudioUpdater_Patch)

90a517c3dab8ceccf5f1a4c0f4932b1f (VisualStudioUpdater_Patch)

b67bba781e5cf006bd170a0850a9f2d0 (VisualStudioUpdating)

f5774aca722e0624daf67a2da5ec6967 (VisualStudioUpdater_Patch)

52a9d67745f153465fac434546007d3a (Previewers)

30b27b765878385161ca1ee71726a5c6 (DO_NOT_RUN_ChromeUpdates)

1dbc26447c1eaa9076e65285c92f7859 (visualstudioupdate)

05a8583f36599b5bc93fa3c349e89434 (VisualStudioUpdater)

5d0c62da036bbe375cb10659de1929e3 (VisualStudioUpdater)

68e0facbf541a2c014301346682ef9ca (VisualStudioUpdater)

b2bdd1d32983c35b3b1520d83d89d197 (zshrc2)

5fcc12eaba8185f9d0ddecafae8fd2d1 (zshrc2)

97cd4fc94c59121f903f2081df1c9981

28bdd46d8609512f95f1f1b93c79d277

3e23308d074d8bd4ffdb5e21e3aa8f22

088779125434ad77f846731af2ed6781

b67f6e534d5cca654813bd9e94a125b9

cf54cba05efee9e389e090b3fd63f89b

44fcf7253bcf0102811e50a4810c4e41

690a097b0eea384b02e013c1c0410189

186be45570f13f94b8de82c98eaa8f4f

3c780bcfb37a1dfae5b29a9e7784cbf5

925239817d59672f61b8332f690c6dd6

9c6b7f388abec945120d95d892314ea7

85cd1afbc026ffdfe4cd3eec038c3185

6aaba581bcef3ac97ea98ece724b9092

bcbbf7a5f7ccff1932922ae73f6c65b7

bde0e001229884404529773b68bb3da0

795f0c68528519ea292f3eb1bd8c632e

bc394c859fc379900f5648441b33e5fd

0fe0212fc5dc82bd7b9a8b5d5b338d22

835ebf367e769eeaaef78ac5743a47ca

bdd4972e570e069471a4721d76bb5efb

Download domains –

• https://sarkerrentacars.com/zshrc
• https://turkishfurniture.blog/Previewers
• http://linksammosupply.com/zshrc2
• http://linksammosupply.com/VisualStudioUpdaterLs2
• http://linksammosupply.com/VisualStudioUpdater

C&C URLs

• com
• 29.13.167
• 214.26.22
• https://serviceicloud.com

Link to full report: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

[1] https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/