Security
Headlines
HeadlinesLatestCVEs

Headline

macOS Version of HZ RAT Backdoor Targets Chinese Messaging App Users

Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT. The artifacts “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan said. HZ RAT was first

The Hacker News
#mac#windows#apple#google#microsoft#git#backdoor#The Hacker News

Cyber Espionage / Malware

Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT.

The artifacts “almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky researcher Sergey Puzan said.

HZ RAT was first documented by German cybersecurity company DCSO in November 2022, with the malware distributed via self-extracting zip archives or malicious RTF documents presumably built using the Royal Road RTF weaponizer.

The attack chains involving RTF documents are engineered to deploy the Windows version of the malware that’s executed on the compromised host by exploiting a years-old Microsoft Office flaw in the Equation Editor (CVE-2017-11882).

The second distribution method, on the other hand, masquerades as an installer for legitimate software such as OpenVPN, PuTTYgen, or EasyConnect, that in addition to actually installing the lure program, also executes a Visual Basic Script (VBS) responsible for launching the RAT.

The capabilities of HZ RAT are fairly simple in that it connects to a command-and-control (C2) server to receive further instructions. This includes executing PowerShell commands and scripts, writing arbitrary files to the system, uploading files to the server, and sending heartbeat information.

Given the limited functionality of the tool, it’s suspected that the malware is primarily used for credential harvesting and system reconnaissance activities.

Evidence shows that the first iterations of the malware have been detected in the wild as far back as June 2020. The campaign itself, per DCSO, is believed to be active since at least October 2020.

The latest sample uncovered by Kaspersky, uploaded to VirusTotal in July 2023, impersonates OpenVPN Connect (“OpenVPNConnect.pkg”) that, once started, establishes contact with a C2 server specified in the backdoor to run four basic commands that are similar to that of its Windows counterpart -

  • Execute shell commands (e.g., system information, local IP address, list of installed apps, data from DingTalk, Google Password Manager, and WeChat)
  • Write a file to disk
  • Send a file to the C2 server
  • Check a victim’s availability

“The malware attempts to obtain the victim’s WeChatID, email and phone number from WeChat,” Puzan said. “As for DingTalk, attackers are interested in more detailed victim data: Name of the organization and department where the user works, username, corporate email address, [and] phone number.”

Further analysis of the attack infrastructure has revealed that almost all of the C2 servers are located in China barring two, which are based in the U.S. and the Netherlands.

On top of that, the ZIP archive containing the macOS installation package (“OpenVPNConnect.zip”) is said to have been previously downloaded from a domain belonging to a Chinese video game developer named miHoYo, which is known for Genshin Impact and Honkai.

It’s currently not clear how the file was uploaded to the domain in question (“vpn.mihoyo[.]com”) and if the server was compromised at some point in the past. It’s also undetermined how widespread the campaign is, but the fact that the backdoor is being put to use even after all these years points to some degree of success.

“The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active,” Puzan said. “the malware was only collecting user data, but it could later be used to move laterally across the victim’s network, as suggested by the presence of private IP addresses in some samples.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames,

To Damage OT Systems, Hackers Tap USBs, Old Bugs & Malware

USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis.

Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign

Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers

Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant

The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by

Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog

CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.

Cybercrime Group TA558 Targeting Hospitality, Hotel, and Travel Organizations

A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018,

Microsoft Office Most Exploited Software in Malware Attacks – Report

By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report

Emotet Banking Trojan Resurfaces, Skating Past Email Security

The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.

Bitter APT adds Bangladesh to their targets

Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]

The Hacker News: Latest News

Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign