Experts have warned that Chinese macOS users who use the DingTalk and WeChat apps to communicate with others are being targeted by a new piece of information-stealing malware.
Cybersecurity researchers at Kaspersky Lab analyzed new malware samples recently uploaded to VirusTotal and discovered that hackers have reused a known information-stealing malware called HZ RAT for macOS.
HZ RAT has been around for almost five years, since 2020, but was first identified by German cybersecurity outlet DCSO in late 2022. As an infostealer, HZ RAT is relatively rudimentary and unsophisticated: it can connect to command and control (C2) servers, execute PowerShell commands and scripts, and write arbitrary files to target systems, upload files, or send system information.
Chinese C2 Servers
Hacker News They claim that because HZ RAT has limited functionality, it is more likely to be used for credential harvesting and system reconnaissance.
Now someone has gotten hold of it and created an identical copy for macOS. “The sample we found almost exactly replicates the functionality of the Windows version of the backdoor and differs only in the payload received from the attacker's server in the form of a shell script,” Kaspersky said.
Another similarity between the Windows and macOS versions is how they reach the target endpoint in the first place: while the Windows version masquerades as legitimate software like OpenVPN, PuTTYgen, and EasyConnect, the macOS version has so far only masqueraded as the OpenVPN Connect client.
The files retrieved by the HZ RAT vary depending on the chat app being used. Kaspersky further explains that “from WeChat, the malware attempts to obtain the victim's WeChat ID, email address, and phone number.” As for DingTalk, “the attackers are interested in more detailed data about the victim: the name and department of the organization the user works for, their username, company email address, [and] telephone number.
Although the identity of the attackers is unknown, the researchers were able to identify the location of the C2 infrastructure, with the majority of the servers located in China, with two in the US and one in the Netherlands.
via Hacker News