Cybersecurity experts at Kaspersky Lab have uncovered a macOS version of the HZ Rat backdoor, signaling a significant evolution in this malware’s capabilities. This new variant specifically targets users of popular corporate messaging applications DingTalk and WeChat, raising concerns about potential data breaches in business environments.
Understanding the HZ Rat Threat
Initially discovered in November 2022 by DCSO researchers, HZ Rat was originally designed to attack Windows systems. The newly identified macOS version shares many similarities with its Windows counterpart, differing primarily in its payload delivery mechanism. Both versions receive commands through shell scripts from the attacker’s command and control (C2) servers.
While the initial distribution point of the macOS HZ Rat remains unknown, researchers have identified an installation package named OpenVPNConnect.pkg. This file, uploaded to VirusTotal in July 2023, went undetected by all vendors at the time of analysis, highlighting the sophisticated nature of this threat.
Infection and Communication Methods
Upon execution, HZ Rat establishes a connection with its C2 server using a predefined list of IP addresses. Most samples utilize port 8081 for communication, with some instances connecting through private IP addresses. The backdoor employs XOR encryption with a key of 0x42 for C2 communication, adding a layer of stealth to its operations.
Key Backdoor Functionalities
HZ Rat supports four primary commands:
- Execute shell commands
- Write files to disk
- Upload files to the server
- Check victim availability
Data Exfiltration Targets
The malware’s primary objective appears to be the extraction of sensitive user information from DingTalk and WeChat. From WeChat, it attempts to harvest the user’s WeChatID, email, and phone number. DingTalk users face a more comprehensive data collection effort, including:
- Organization and department names
- Username
- Corporate email address
- Phone number
This information is typically stored unencrypted in various application files, making it easily accessible to the malware.
Infrastructure and Geographic Distribution
During the investigation, researchers identified four active C2 servers. Notably, some malware samples included private IP addresses, suggesting a sophisticated attack methodology involving compromised machines within target networks acting as proxies.
The majority of the C2 servers were located in China, with isolated instances in the United States and the Netherlands. Some of the IP addresses associated with this campaign have been linked to previous Windows-based HZ Rat attacks dating back to 2022, indicating a persistent and evolving threat actor.
While the full intentions of the attackers remain unclear, the collected data could potentially be used for surveillance, social engineering, or as a precursor to more targeted attacks. This development underscores the importance of robust cybersecurity measures, especially for organizations relying on corporate messaging platforms. Users of DingTalk and WeChat on macOS systems should remain vigilant and ensure their security software is up-to-date to mitigate this evolving threat.