HZ Rat Attacking macOS Users Via Messaging Platform WeChat

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Hackers target macOS as its growing user base makes it an increasingly attractive target. 

Despite its reputation for strong security, macOS vulnerabilities exist, and exploiting them can give hackers access to valuable data or control over devices, particularly in environments where macOS is used in corporate settings.

Cybersecurity researchers at Kaspersky Lab recently identified HZ Rat attacking macOS users via the messaging platform WeChat.

HZ Rat Attacking macOS Users

Researchers discovered in June 2024 a macOS version of the HZ Rat backdoor that had been targeting Windows users since November 2022.

This new development focuses on users of the corporate instant messenger DingTalk and the social messaging platform “WeChat.”

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

The macOS version closely replicates the Windows variant’s functionality, differing primarily in its payload delivery mechanism, which utilizes shell scripts received from the attackers’ command and control (C2) server. 

Interestingly, certain variants of the backdoor use local addresses pertaining to the C2, suggesting that their use is for definite objectives and that lateral movement across the already breached networks is possible.

As a result of this macOS expansion, HZ Rat has transformed from an initial Windows OS PowerShell executable threat into malware that can be used in any operating system.

OpenVPNConnect.pkg on VirusTotal (Source – Securelist)

This sophisticated macOS backdoor was detected in July of 2023 and disguised as OpenVPN Connect (OpenVPNConnect.pkg), yet none of the vendors within VirusTotal detected its presence.

Structure of the malicious installation package (Source – Securelist)

This malware, which should be associated with HZ Rat, contains three dll components:-

  • The regular OpenVPN application
  • A shell script ‘exe,’
  • An initiating file ‘init’

The permit and IP address of C2 servers were found to be dominantly situated in China, using port 8081 and xor encryption key 0x42.

The backdoor client developed in C++ begins with session initialization by using a random 4-byte ‘cookie’ and four basic commands, such as executing shell commands, writing and/or downloading files, and pinging for availability, reads the Securelist report.

This malware gathers a lot of system information, including the SIP status, hardware, IP address, Bluetooth devices, WiFi networks, storage, application lists, and so on.

In particular, it relies upon the userinfo.data retrieved from WeChat and the orgEmployeeModel, sAlimailLoginEmail, or holmes.mapping files from DingTalk.

Some variants utilize private IP addresses suggesting lateral movement within a network could be possible.

The source of the malware remains unknown however it was connected to a notorious domain (hxxp://vpn.mihoyo[.]com/uploads/OpenVPNConnect.zip), consequently the speculation of a leak.

Currently, the attackers are mostly interested in harvesting data from the Google Password Manager, although the full range of backdoor capabilities and the attackers’ aims remain speculative due to some file transfer commands remaining inactive.

IoCs

IoCs (Source – Securelist)

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial