A recently discovered Apple macOS backdoor code called RustDoor is targeting a number of cryptocurrency-related businesses.
Bitdefender first identified RustDoor last week, describing it as a malware based on ruby that can download files, upload them, and gather data on infected computers. By posing as a Visual Studio update, it is distributed.
The exact initial propagation mechanism was not known, despite earlier evidence pointing to at least three different backdoor variants.
However, the Romanian cybersecurity company later revealed to The Hacker News that the malware was actually used in a targeted attack rather than an attempt to disperse shotguns, noting that it also discovered additional items that could be used to download and launch RustDoor.
According to Bogdan Botezatu, director of threat research and reporting at Bitdefender, some of these first-stage downloaders pose as PDF files with job offers but are actually scripts that download and execute malware while also downloading and opening a harmless PDF file.
Three more malicious samples that serve as first-stage payloads have since surfaced, each of which claims to be a job opening. By almost a month, these ZIP archives are older than the earlier RustDoor binaries.
the archive files (” Jobinfo” ), a new part of the attack chain. app. ” Jobinfo” or “zip” The implant is obtained from the website turkishfurniture [. ] using the basic shell script contained in zip. blog. Additionally, a safe decoy PDF file preview ( job ) is engineered. hosted as a distraction on the same website as pdf.
Four new Golang-based binaries that communicate with an actor-controlled domain ( sarkerrentacars [. ] were also found, according to Bitdefender. com” ), whose goal is to “use the system_profiler and networksetup utilities, which are a part of the macOS operating system, to gather information about the victim’s machine and its network connections.”
Additionally, the binaries can retrieve a comprehensive list of kernel parameters and configuration values using the” sysctl -a” command, as well as information about the disk via “diskutil list.”
The leaky endpoint ( “/client/bots” ) of the command-and-control ( C2 ) infrastructure has also been found, allowing for the collection of information about the victims who are currently infected, including the timestamps at which the infection host was registered and the most recent activity was noticed.
An IT company connected to Office No. 1 of the Workers ‘ Party of North Korea was revealed to be involved in the development by South Korea’s National Intelligence Service ( NIS ). By selling thousands of malware-infected gambling websites to other cybercriminals to steal private information from unwitting gamblers, 39 is making illegal money.
According to Yonhap News Agency, Gyeongheung ( also known as Gyonghung ), a 15-member entity based in Dandong that allegedly received$ 5, 000 from an unidentified South Korean criminal organization in exchange for building one website and$ 3,000 per month for maintaining the website, is the company behind the malware-as-the-service ( MaaS ) scheme.