A new Rust-based backdoor that has been operating covertly since November 2023 is targeting Apple macOS users.
It has been discovered that the backdoor, codenamed RustDoor by Bitdefender, pretends to be a Microsoft Visual Studio update and is intended for both the Intel and Arm architectures.
Although it is said to be distributed as FAT binaries that contain Mach-O files, the precise initial access pathway used to propagate the implant is currently unknown.
To date, several malware variants with minor changes have been found, most likely indicating active development. RustDoor’s earliest example can be found on November 2, 2023.
It has a variety of commands that let it gather, upload files, and gather data on the compromised endpoint.
Additionally, some versions come with configurations that specify the types of directories to exclude, extensions to be targeted, and data to collect.
A command-and-control ( C2 ) server is then accessed with the information that has been collected.
Due to similarities in C2 infrastructure, the malware is probably connected to well-known ransomware families like Black Basta and BlackCat, according to the Romanian cybersecurity company.
According to security researcher Andrei Lapusneau, the ransomware family” ALPHV/BlackCat” first appeared in November 2021 and is credited with creating the public leaks business model.
More than 500 victims of the BlackCat ransomware operation can use a decryption tool that was released by the U.S. government in December 2023 to regain access to malware-locked files.
Update
Bogdan Botezatu, Bitdefender’s threat research and reporting director, responded to The Hacker News ‘ request for comment on the potential initial access vector by revealing fresh data that suggested the campaign may have been more targeted than previously believed.
” Some domains spreading the malware were similar to some popular social media accounts, so that was the initial assumption we made.
We were able to identify a few first-stage downloaders, or application bundles, who are in charge of downloading and running the backdoor, so we now have new leads. While downloading and opening an innocent PDF file that bills itself as a confidentiality agreement, some of these first-stage downloaders falsely claim to be PDF files with job offers.
” These recent discoveries make us think that the malware was n’t distributed with shotguns; rather, it was used in a targeted attack.” This explains why, prior to our publication of the investigation on Bitdefender Labs, the malware went largely unnoticed.