The Trojan.MAC.RustDoor backdoor is potentially linked to the notorious BlackBasta and (ALPHV/BlackCat) ransomware operators.
Bitdefender researchers have discovered a new backdoor targeting macOS devices. The backdoor, dubbed, Trojan.MAC.RustDoor is written in Rust language and can steal specific files, archive them, and upload them to the C2 (command and control) server.
According to the researchers, the backdoor has been active since November 2023. While Bitdefender could not attribute the campaign to a known threat actor, artefacts and indicators of compromise (IoCs) suggest a possible relationship with BlackBasta and ALPHV/BlackCat ransomware operators.
The backdoor impersonates a Visual Studio update, distributed as FAT binaries with Mach-O files for Intel x86_64 and ARM architectures. Samples identified by Bitdefender were titled:
- zshrc2
- Previewers
- VisualStudioUpdater
- VisualStudioUpdating
- visualstudioupdate
- VisualStudioUpdater_Patch
- DO_NOT_RUN_ChromeUpdates
The first samples were found in November 2023 and the newest on 2nd February 2024. The Rust-based source code makes it harder for security researchers to analyze and detect its malicious code, potentially giving malware authors an advantage.
The backdoor has multiple variants, named Variant 1, Variant 2, and Variant Zero, with most samples sharing core functionalities. Variant 1 is a testing version, first seen on 22nd November 2023, and contains an embedded plist file. It is meant to ensure persistence using LaunchAgents but does not include a field for this method.
The second variant, found on 30th November 2023, is an upgraded version of the malware, containing a complex JSON configuration and an embedded Apple script for data exfiltration. The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as user notes stored in SQLite format.
Variant Zero, discovered on 2nd February 2024, is the least complex variant, lacking Apple script and embedded configuration, despite its backdoor functionality.
All samples contain the backdoor functionality, with supported commands such as ps, shell, cd, mkdir, rm, rmdir, sleep, upload, botkill, dialog, taskkill, and download. These commands allow the malware to gather and upload files and gather information about the machine.
Additionally, the information extracted with the sysctl command and the output of two other commands (pwd and hostname) are submitted to the Register endpoint of the C&C server to receive a Victim ID.
According to Bitdefender’s blog post, communication with the C2 servers is performed using endpoints such as POST /gateway/register, POST /gateway/report, /gateway/task, and /tasks/upload_file. The C2 servers are currently answering with “detail”: “Not found.”
Trojan.MAC.RustDoor is a malware family that employs multiple persistence mechanisms, including lock_in_cron, lock_in_launch, lock_in_dock, and lock_in_rc. These methods are common in recent malware families but not as popular. Lock_in_cron involves using cronjobs, while lock_in_launch uses LaunchAgents to execute the binary every time a user logs in.
Lock_in_rc is achieved by modifying the ~/.zshrc file to execute the binary every time a new ZSH session is opened. Lock_in_dock is achieved by adding the binary to the Dock using the command defaults write com.apple.dock persistent-apps -array-add.
This is an ongoing research. Hackread.com will update readers when new details are shared regarding the likely threat actors behind this operation.