Researchers have identified the connection of a dangerous malware with ransomware from ALPHV / BlackCat.
A new type of malware for macOS, distributed under the guise of an update for Microsoft Visual Studio, has been discovered online. This backdoor macro, written in the Rust programming language, can run on both Intel (x86_64) and ARM (Apple Silicon) architectures.
Researchers from the company Bitdefender, tracking this threat, called it "RustDoor". It is reported that the operation to spread the backdoor began in November 2023 and continues to this day.
Particular attention is drawn to the possible connection of RustDoor with ransomware distribution operations, in particular with the activities of the well-known ALPHV/BlackCat group.
So, the researchers found that the malware communicates with four C2 servers, three of which were previously used in attacks potentially related to the actions of attackers affiliated with ALPHV / BlackCat. However, experts emphasize that this is not enough to unambiguously state that RustDoor is involved in a specific threat actor.
Distribution of RustDoor is carried out mainly under the guise of updating Visual Studio for Mac, an integrated development environment from Microsoft, which support for macOS will be discontinued on August 31 this year.
The malware comes under different names and, according to Bitdefender, was actively distributed for at least three months, while remaining undetected.
RustDoor has backdoor capabilities, allowing you to monitor the infected system and exfiltrate data. To ensure persistence on the device, the malware modifies system files by using Cron and LaunchAgents jobs to schedule their execution at certain times or when the user logs in.
In addition, the malware modifies the "~/ " file.zshrc" can be executed in new terminal sessions or added to the Dock with system commands, which helps it disguise itself as legitimate applications and user actions.
Bitdefender has detected at least three RustDoor variants, the first of which was seen in early October 2023. The next sample appeared on November 22 and was apparently a test version, preceding the updated version recorded on November 30.
The latest version includes a complex JSON configuration, as well as a built-in AppleScript used to exfiltrate files with certain extensions.
In their report, the researchers provided a list of known indicators of compromise for RustDoor, including binaries, download domains, and the URLs of four C2 command and control servers.
A new type of malware for macOS, distributed under the guise of an update for Microsoft Visual Studio, has been discovered online. This backdoor macro, written in the Rust programming language, can run on both Intel (x86_64) and ARM (Apple Silicon) architectures.
Researchers from the company Bitdefender, tracking this threat, called it "RustDoor". It is reported that the operation to spread the backdoor began in November 2023 and continues to this day.
Particular attention is drawn to the possible connection of RustDoor with ransomware distribution operations, in particular with the activities of the well-known ALPHV/BlackCat group.
So, the researchers found that the malware communicates with four C2 servers, three of which were previously used in attacks potentially related to the actions of attackers affiliated with ALPHV / BlackCat. However, experts emphasize that this is not enough to unambiguously state that RustDoor is involved in a specific threat actor.
Distribution of RustDoor is carried out mainly under the guise of updating Visual Studio for Mac, an integrated development environment from Microsoft, which support for macOS will be discontinued on August 31 this year.
The malware comes under different names and, according to Bitdefender, was actively distributed for at least three months, while remaining undetected.
RustDoor has backdoor capabilities, allowing you to monitor the infected system and exfiltrate data. To ensure persistence on the device, the malware modifies system files by using Cron and LaunchAgents jobs to schedule their execution at certain times or when the user logs in.
In addition, the malware modifies the "~/ " file.zshrc" can be executed in new terminal sessions or added to the Dock with system commands, which helps it disguise itself as legitimate applications and user actions.
Bitdefender has detected at least three RustDoor variants, the first of which was seen in early October 2023. The next sample appeared on November 22 and was apparently a test version, preceding the updated version recorded on November 30.
The latest version includes a complex JSON configuration, as well as a built-in AppleScript used to exfiltrate files with certain extensions.
In their report, the researchers provided a list of known indicators of compromise for RustDoor, including binaries, download domains, and the URLs of four C2 command and control servers.
