Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Researchers from Kaspersky Lab report the discovery of a macOS version of the HZ Rat backdoor targeting users of the Chinese applications DingTalk and WeChat.
At the same time, the observed artifacts almost exactly repeat the functionality of the Windows version of the backdoor and differ only in the payload, which is delivered in the form of shell scripts from the HZ RAT attackers server was first documented by the German DCSO in November 2022 and distributed via zip archives or malicious RTFs presumably created using the Royal Road RTF Weaponizer.
RTF document attack chains are designed to deploy a Windows version of the malware that runs on a compromised host thanks to the long-standing CVE-2017-11882 in Microsoft Office.
Another distribution method involves the OpenVPN, PuTTYgen, or EasyConnect legitimate software installer, which, in addition to actually installing the lure program, also executes the Visual Basic (VBS) script responsible for running the RAT.
The functionality of the HZ RAT is quite simple.
Once connected to C2, further instructions are implemented, including executing PowerShell commands and scripts, writing and sending files, and checking the victim's availability.
Given the limited functionality of the tool, there is speculation that the malware is mainly used to collect credentials and scout systems.
Facts show that the first versions of the malware were discovered back in June 2020.
According to the DCSO, the campaign itself has intensified since at least October 2020.
The latest sample detected by Kaspersky Lab was uploaded to VirusTotal in July 2023, posing as OpenVPN Connect (OpenVPNConnect.pkg), which, when launched, establishes communication with C2 according to a list of IP addresses specified in the backdoor.
To communicate with C2, XOR encryption with a 0x42 key is used.
The backdoor supports only four main commands, just like in the Windows version.
As part of the study, it was possible to obtain shell commands from the command and control server aimed at collecting the following data about the victim: System Integrity Protection (SIP) status, information about the system and device, a list of applications, information on WeChat and DingTalk, as well as credits from the Google password manager.
Further analysis of the attack infrastructure revealed that almost all of the C2s are located in China, with the exception of two, which are located in the United States and the Netherlands.
In addition, it is reported that the ZIP archive containing the OpenVPNConnect.zip installation package was previously downloaded from a domain owned by the Chinese video game developer miHoYo, known for Genshin Impact and Honkai.
It is currently unclear how the file was uploaded to the domain in question ("vpn.mihoyo[.] com"), and whether the server has been compromised at some point in the past.
It's also unclear how widespread the campaign is, but the latest macOS version of the HZ Rat found shows that the threat actors behind previous attacks are still active.
• Source: https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/
At the same time, the observed artifacts almost exactly repeat the functionality of the Windows version of the backdoor and differ only in the payload, which is delivered in the form of shell scripts from the HZ RAT attackers server was first documented by the German DCSO in November 2022 and distributed via zip archives or malicious RTFs presumably created using the Royal Road RTF Weaponizer.
RTF document attack chains are designed to deploy a Windows version of the malware that runs on a compromised host thanks to the long-standing CVE-2017-11882 in Microsoft Office.
Another distribution method involves the OpenVPN, PuTTYgen, or EasyConnect legitimate software installer, which, in addition to actually installing the lure program, also executes the Visual Basic (VBS) script responsible for running the RAT.
The functionality of the HZ RAT is quite simple.
Once connected to C2, further instructions are implemented, including executing PowerShell commands and scripts, writing and sending files, and checking the victim's availability.
Given the limited functionality of the tool, there is speculation that the malware is mainly used to collect credentials and scout systems.
Facts show that the first versions of the malware were discovered back in June 2020.
According to the DCSO, the campaign itself has intensified since at least October 2020.
The latest sample detected by Kaspersky Lab was uploaded to VirusTotal in July 2023, posing as OpenVPN Connect (OpenVPNConnect.pkg), which, when launched, establishes communication with C2 according to a list of IP addresses specified in the backdoor.
To communicate with C2, XOR encryption with a 0x42 key is used.
The backdoor supports only four main commands, just like in the Windows version.
As part of the study, it was possible to obtain shell commands from the command and control server aimed at collecting the following data about the victim: System Integrity Protection (SIP) status, information about the system and device, a list of applications, information on WeChat and DingTalk, as well as credits from the Google password manager.
Further analysis of the attack infrastructure revealed that almost all of the C2s are located in China, with the exception of two, which are located in the United States and the Netherlands.
In addition, it is reported that the ZIP archive containing the OpenVPNConnect.zip installation package was previously downloaded from a domain owned by the Chinese video game developer miHoYo, known for Genshin Impact and Honkai.
It is currently unclear how the file was uploaded to the domain in question ("vpn.mihoyo[.] com"), and whether the server has been compromised at some point in the past.
It's also unclear how widespread the campaign is, but the latest macOS version of the HZ Rat found shows that the threat actors behind previous attacks are still active.
• Source: https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/
