Friend
Professional
- Messages
- 2,653
- Reaction score
- 847
- Points
- 113
The attackers chose an unexpected way to deliver malicious code.
Kaspersky Lab experts have identified a new threat to macOS users in China: the HZ RAT malware, which was previously known only in the Microsoft Windows version. The Trojan is distributed through popular Chinese instant messengers such as DingTalk and WeChat and poses a serious data security threat.
Researcher Sergey Puzan noted that the functionality of the HZ RAT on macOS is almost identical to the Windows version, with the only difference being in the way the malicious code is delivered. The malware receives instructions from the C2 server, which include executing PowerShell commands, writing and sending files, and collecting data about the system.
The HZ RAT was first documented by the German company DCSO in November 2022. At that time, the malware was distributed through self-extracting archives or malicious RTF documents created using the Royal Road RTF tool. The attackers exploited a vulnerability in Microsoft Office (CVE-2017-11882) to install malware on victims' devices.
Another distribution method of the HZ RAT is disguised as the installation of legitimate software such as OpenVPN or PuTTYgen. In this case, along with the installation of the program, a malicious script on Visual Basic is launched, which activates the HZ RAT.
The main purpose of the HZ RAT is to collect user data, such as account credentials and system information. The malware is capable of obtaining data from instant messengers, including WeChat ID, email, and phone numbers. Attackers are especially interested in accessing corporate information through DingTalk.
The latest sample of the HZ RAT was uploaded to VirusTotal in July 2023. This variant masquerades as an OpenVPN installation package and, like its Windows counterpart, executes four basic commands: running system commands, writing and sending files to the server, and checking the victim's availability.
The attack infrastructure includes C2 servers located primarily in China, with the exception of two servers in the United States and the Netherlands. Additional analysis showed that the infected ZIP archive containing the macOS installation package was downloaded from a domain owned by the Chinese video game developer miHoYo, known for the games Genshin Impact and Honkai: Star Rail.
It is not yet clear exactly how the file got to this domain and whether the server infrastructure was compromised. Despite this, the continued activity of the HZ RAT years after its discovery is indicative of some success for the attackers.
According to Sergey Puzan that the macOS version of the HZ RAT shows that the cybercriminals behind previous attacks remain active and continue their attempts to collect user data, with the possibility of further spread across the victim's network.
Source
Kaspersky Lab experts have identified a new threat to macOS users in China: the HZ RAT malware, which was previously known only in the Microsoft Windows version. The Trojan is distributed through popular Chinese instant messengers such as DingTalk and WeChat and poses a serious data security threat.
Researcher Sergey Puzan noted that the functionality of the HZ RAT on macOS is almost identical to the Windows version, with the only difference being in the way the malicious code is delivered. The malware receives instructions from the C2 server, which include executing PowerShell commands, writing and sending files, and collecting data about the system.
The HZ RAT was first documented by the German company DCSO in November 2022. At that time, the malware was distributed through self-extracting archives or malicious RTF documents created using the Royal Road RTF tool. The attackers exploited a vulnerability in Microsoft Office (CVE-2017-11882) to install malware on victims' devices.
Another distribution method of the HZ RAT is disguised as the installation of legitimate software such as OpenVPN or PuTTYgen. In this case, along with the installation of the program, a malicious script on Visual Basic is launched, which activates the HZ RAT.
The main purpose of the HZ RAT is to collect user data, such as account credentials and system information. The malware is capable of obtaining data from instant messengers, including WeChat ID, email, and phone numbers. Attackers are especially interested in accessing corporate information through DingTalk.
The latest sample of the HZ RAT was uploaded to VirusTotal in July 2023. This variant masquerades as an OpenVPN installation package and, like its Windows counterpart, executes four basic commands: running system commands, writing and sending files to the server, and checking the victim's availability.
The attack infrastructure includes C2 servers located primarily in China, with the exception of two servers in the United States and the Netherlands. Additional analysis showed that the infected ZIP archive containing the macOS installation package was downloaded from a domain owned by the Chinese video game developer miHoYo, known for the games Genshin Impact and Honkai: Star Rail.
It is not yet clear exactly how the file got to this domain and whether the server infrastructure was compromised. Despite this, the continued activity of the HZ RAT years after its discovery is indicative of some success for the attackers.
According to Sergey Puzan that the macOS version of the HZ RAT shows that the cybercriminals behind previous attacks remain active and continue their attempts to collect user data, with the possibility of further spread across the victim's network.
Source
