They identify a new 'malware' in MacOS capable of stealing files by posing as a Visual Studio update

A group of researchers has identified a new ‘malware’ targeting users with MacOS computers, able to steal files through a backdoor which is distributed posing as a Microsoft Visual Studio code program update.

This has been detailed by a group of researchers from the cybersecurity company bitdefender, who assure that it is a new backdoor that belongs to a ‘previously undocumented’ malware family and that shows a possible link to a group of Windows ‘ransomware’.

In this framework, as detailed in a statement on their website, this back door, which they refer to as Trojan.MAC.RustDooris aimed at the macOS users and written in Rusta “relatively new” programming language in the ‘malware’ ecosystem that offers cybercriminals advantages when it comes to evading attack detection and analysis.

Specifically, as they have been able to verify, ‘malware’ can be used to steal specific files or file typesas well as for archive them and upload them to the command and control center (C&C)so that malicious actors can access them.

Furthermore, according to the researchers, it is a campaign that has been active since at least November of last year. The last ‘malware’ sample found is dated the 2nd of this month, which indicates that “has been running undetected for at least three months.”

Thus, in order to distribute itself, this ‘malware’ spoofs an update to Microsoft’s Visual Studio program. In fact, some identified samples have names such as ‘VisualStudioUpdater’, ‘VisualStudioUpdater_Patch’, ‘VisualStudioUpdating’ and ‘visualstudioupdate’. However, other samples of this ‘malware’ have also been found with the name ‘DO_NOT_RUN_ChromeUpdates’ or ‘zshrc2’.

Likewise, all files are displayed as Binary FATthat is, they can run on multiple types of processorsin this case, for architectures based on Intel (x86_64) y ARM (Apple Silicon).

Within the different versions that researchers have been identifying in the campaign of this ‘malware’, commands such as ‘shell’, ‘cd’, ‘sleep’, ‘upload’, ‘taskkill’ or ‘dialog’ have been found, with which cybercriminals can collect and upload files, as well as obtain information about the device itself in which it is being carried out.

As they have explained, specifically, the ‘sysctl’ command along with the ‘pwd’ and ‘hostname’ commands send to command and control infrastructure server registration endpoint -that is, servers that control the information, centralize it and carry out the necessary actions- a file Victim IDwhich is subsequently used in “the rest of the communication between C&C and the backdoor.”

With all this, Bitdefender has indicated that, for the moment, this ‘malware’ campaign cannot be attributed to any known threat actor. However, they have observed similitudes con el ‘ransomware’ ALPHV/BlackCatwhich also uses the Rust programming language and “common domains” such as command and control infrastructure servers.

In fact, they have pointed out that three of the four command and control servers used in this ‘malware’they have associated with previous ‘ransomware’ campaigns targeting Windows customers.

By Editor

Leave a Reply