Users of Chinese instant messaging apps such as DingTalk and WeChat are being targeted by a backdoor in a version of Apple’s macOS called HZ RAT.
The artifacts “almost exactly repeat the functionality of the Windows version of the backdoor and differ only in the payload, which is obtained in the form of shell scripts from the attackers’ server,” said Kaspersky researcher Sergey Puzan. said.
ХЗ RAT was documented for the first time by the German cyber security company DCSO in November 2022, the malware was distributed via self-extracting zip archives or malicious RTF documents believed to be created using Royal road RTF weapons.
Attack chains involving RTF documents are designed to deploy a Windows version of the malware that runs on a compromised host using a years-old Microsoft Office flaw in the equation editor (CVE-2017-11882).
The second distribution method, on the other hand, is disguised as an installer for legitimate software such as OpenVPN, PuTTYgen, or EasyConnect, which in addition to actually installing the lure, also executes the Visual Basic Script (VBS) responsible for launching the RAT.
The capabilities of the HZ RAT are quite simple in that it connects to the control server (C2) for further instructions. This includes executing PowerShell commands and scripts, writing arbitrary files to the system, uploading files to the server, and sending heartbeat information.
Given the limited functionality of the tool, it is suspected that the malware is mainly used for credential harvesting and system reconnaissance.
Evidence shows that the first iterations of the malware were discovered in the wild as early as June 2020. The company itself is believed to have been active since at least October 2020, according to DCSO.
The latest sample discovered by Kaspersky, uploaded to VirusTotal in July 2023, embodies OpenVPN Connect (“OpenVPNConnect.pkg”), which when launched contacts the C2 server specified in the backdoor to execute four basic commands similar to its counterpart windows –
- Executing shell commands (such as system information, local IP address, list of installed programs, data from DingTalk, Google Password Manager and WeChat)
- Burn the file to disk
- Send the file to the C2 server
- Check for a victim
“The malware tries to get the victim’s WeChatID, email address and phone number from WeChat,” Puzan said. “In the case of DingTalk, the attackers are interested in more detailed information about the victim: the name of the organization and department where the user works, username, corporate email address, (and) phone number.”
Further analysis of the attack infrastructure revealed that almost all of C2’s servers are located in China, with the exception of two located in the United States and the Netherlands.
In addition to this, the ZIP archive containing the macOS installation package (“OpenVPNConnect.zip”) was allegedly previously downloaded from a domain belonging to Chinese video game developer miHoYo, known for Genshin Impact and Honkai.
It is currently unclear how the file was uploaded to the domain in question (“vpn.mihoyo(.)com”) and whether the server was compromised at some point in the past. It’s also unclear how widespread the campaign is, but the fact that the backdoor is still being used after so many years suggests a degree of success.
“The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active,” said Puzan. “The malware only collected user data, but it could later be used to move laterally across the victim’s network, as evidenced by the presence of private IP addresses in some of the samples.”
