In a recent disclosure, cybersecurity company Bitdefender unearthed macOS malware named RustDoor that is disseminating through a malicious Visual Studio update, serving as a backdoor for compromised systems.
The campaign, which has been operational since November 2023, persists in distributing updated iterations of the malware identified as RustDoor (Trojan.MAC.RustDoor) Developed in Rust, RustDoor demonstrates compatibility with both Intel-based (x86_64) and ARM (Apple Silicon) architectures.
Researchers at Bitdefender have disclosed that RustDoor malware establishes communication with four command-and-control (C2) servers, and notably, three of these servers show potential links to the ALPHV/BlackCat ransomware gang, according to threat intelligence data, according to BleepingComputer. However, researchers caution against definitive attribution, emphasizing the indication of a potential association with BlackBasta and ALPHV/BlackCat ransomware operators.
(Photo : JOSH EDELSON/AFP via Getty Images)MacBook Pros are seen on display during a product launch event at Apple headquarters in Cupertino, California on October 27, 2016.
Multiple Variants Found
Despite the existence of macOS encryptors, there are no public reports of ransomware targeting Apple's operating system, especially on M1 builds predating December 2022. Cyber operations predominantly focus on Windows and Linux systems due to their prevalence in enterprise environments. The shared infrastructure among cybercriminals, constrained by the need for anonymity, underscores the commonality of servers across various threat actors.
SecurityWeek reported that Bitdefender's investigation reveals multiple variants of RustDoor, all sharing a common backdoor functionality with minor distinctions.
The initial variant, discovered in November 2023, appears as a test version lacking a complete persistence mechanism and includes a 'test' list file. The second variant, observed later that month, features larger files, a complex JSON configuration, and an Apple script for extracting specific documents from user folders. RustDoor copies and compresses documents into a ZIP archive before transmitting them to the C&C server.
Read Also: Biden Administration and Tech Giants Unveil AISIC: A Collaborative Initiative to Tackle AI Risks
Bitdefender's findings unveil RustDoor's configuration file options, encompassing the ability to impersonate various applications and customize a spoofed administrator password dialog. The JSON configuration outlines four persistence mechanisms: cronjobs, LaunchAgents for login execution, file modification for ZSH session initiation, and binary addition to the dock.
A third variant, identified as the original, lacks complexity, an Apple script, and an embedded configuration. RustDoor employs C&C servers previously associated with Black Basta and Alphv/BlackCat ransomware campaigns, suggesting potential connections to these cyber threats.
Malware Backdoor Capacity
As highlighted in their recent discoveries, researchers explained that RustDoor is endowed with functionalities enabling manipulation of the compromised system, data extraction, and the establishment of persistence on the device by altering system files.
Upon infiltrating a system, the malware establishes communication with command-and-control (C2) servers through designated endpoints for activities such as registration, task execution, and data exfiltration. To ensure sustained operation through system reboots, the backdoor employs Cron jobs and LaunchAgents, scheduling their execution at specific times or upon user login.
While Macs generally benefit from built-in security features like Gatekeeper and Sandboxing, they are not impervious to malware. To fortify Mac security, users are advised to employ antivirus software, activate the Mac firewall, and ensure secure app downloads through Gatekeeper, per Make Use Of.
Related Article: Chicago Children's Hospital Hit by Dayslong Cyberattack, Officials Blame Criminal Actor
