Users of Chinese instant messaging apps such as DingTalk and WeChat have been targeted by a backdoor in Apple's macOS versions. Herzlat.
Kaspersky researcher Sergey Puzan said the artifact “almost exactly replicates the functionality of the Windows version of the backdoor, only the payload received from the attacker's server in the form of a shell script differs.”
HZ RAT was first documented by German cybersecurity firm DCSO in November 2022. The malware was distributed via self-extracting zip archives or malicious RTF documents that appeared to be created using the Royal Road RTF Weaponizer.
The attack chain involving the RTF document is designed to exploit a years-old Microsoft Office flaw (CVE-2017-11882) in the equation editor to deploy a Windows version of the malware that runs on the compromised host.
Meanwhile, the second distribution method poses as an installer for legitimate software such as OpenVPN, PuTTYgen, or EasyConnect, and actually installs the lure program as well as running a Visual Basic Script (VBS) that launches the RAT.
The functionality of HZ RAT is very simple: it simply connects to a command and control (C2) server to receive further instructions, which can include executing PowerShell commands and scripts, writing arbitrary files to the system, uploading files to the server, and sending heartbeat information.
Given the tool's limited functionality, it is suspected that the malware is primarily used for credential harvesting and system reconnaissance activities.
Evidence suggests that the first version of the malware was spotted in the wild as early as June 2020. The campaign itself is believed to have been active since at least October 2020, according to DCSO.
The latest sample discovered by Kaspersky, uploaded to VirusTotal in July 2023, disguises itself as OpenVPN Connect (“OpenVPNConnect.pkg”) and, upon launch, establishes a connection with a C2 server specified by the backdoor and executes four basic commands similar to the Windows version.
- Execute shell commands (e.g. system information, local IP address, list of installed apps, DingTalk, Google Password Manager, WeChat data)
- Burning files to disc
- Send a file to the C2 server
- Check victim availability
“From WeChat, the malware tries to obtain the victim's WeChat ID, email address, and phone number,” Pouzin said. “For DingTalk, the attackers are interested in more detailed data about the victim, such as the name of the organization or department the user works for, their username, and their company email address. [and] telephone number.
Further analysis of the attack infrastructure reveals that almost all of the C2 servers are located in China, with two in the US and the Netherlands.
Additionally, a ZIP archive containing a macOS installation package (“OpenVPNConnect.zip”) was allegedly previously downloaded from a domain belonging to a Chinese video game developer called miHoYo, known for Genshin Impact and Honkai.
It is currently unclear how the file was uploaded to the domain in question (“vpn.mihoyo”).[.]It is unclear who owns “.com” or if the server has been compromised at some point in the past. It is also unclear how widespread this campaign is, but the fact that the backdoor is still in use after all these years indicates some level of success.
“The macOS version of HZ Rat we discovered indicates that the threat actors behind previous attacks are still active,” Pouzin said. “Although the malware was only collecting user data, the presence of private IP addresses in some samples suggests that it could have been used laterally to move within victim networks.”