New Malware Mimic as Visual Studio Update to Attack macOS users

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A new backdoor written in Rust has been discovered to target macOS users with several interesting features. Moreover, there have been 3 variants of backdoor found masquerading under the name of Visual Studio Update.

The backdoor is distributed as FAT binaries with Mach-O files for x84_64 Intel and ARM architectures. In addition to this, the backdoor dates back to early November 2023, with the latest sample being found on Feb 2nd, 2024. 

html
Document

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks

.

Malware Mimic as Visual Studio Update

Bitdefender said that , most of the samples have the same core functionalities with little variations. A list of identified samples is as follows:

  • zshrc2
  • Previewers
  • VisualStudioUpdater
  • VisualStudioUpdater_Patch
  • VisualStudioUpdating
  • visual studio update
  • DO_NOT_RUN_ChromeUpdates

All of the variants support the following commands

  • ps
  • shell
  • cd
  • mkdir
  • rm
  • rmdir
  • sleep
  • upload
  • botkill
  • dialog
  • taskkill
  • download

Variant 1

This was found to be a test version of the backdoor identified by the plist file (test.plist). However, the embedded plist file was found to be copy-pasted from a public writeup that describes the mechanisms and sandbox evasion techniques for macOS.

Variant 1 source files (Source: Bitdefender)
.plist file created for persistence (Source: Bitdefender)

Variant 2

The number of files in this second variant has several large files containing a complex JSON configuration along with an embedded Apple Script for extracting the data. This Apple script had been found with several variants, all of them meant for data exfiltration purposes.

Variant 1 source files (Source: Bitdefender)

Moreover, the configuration options contain a list of applications to be impersonated to spoof the administrator password with a dialog box.

Variant zero

This was the oldest version that first appeared on November 11, 2023. Since this was the earliest version of the backdoor, it lacks the Apple script and embedded configurations.

Bitdefender has published a comprehensive report on a backdoor that has been traced back to the BlackBasta and (ALPHV/BlackCat) ransomware operators. The report contains in-depth information on the backdoor’s various variants, samples, source code, and other relevant details.

Indicators of Compromise

Binaries

  • 6dd3a3e4951d34446fe1a5c7cdf39754 (VisualStudioUpdater_Patch)
  • 90a517c3dab8ceccf5f1a4c0f4932b1f (VisualStudioUpdater_Patch)
  • b67bba781e5cf006bd170a0850a9f2d0 (VisualStudioUpdating)
  • f5774aca722e0624daf67a2da5ec6967 (VisualStudioUpdater_Patch)
  • 52a9d67745f153465fac434546007d3a (Previewers)
  • 30b27b765878385161ca1ee71726a5c6 (DO_NOT_RUN_ChromeUpdates)
  • 1dbc26447c1eaa9076e65285c92f7859 (visualstudioupdate)
  • 05a8583f36599b5bc93fa3c349e89434 (VisualStudioUpdater)
  • 5d0c62da036bbe375cb10659de1929e3 (VisualStudioUpdater)
  • 68e0facbf541a2c014301346682ef9ca (VisualStudioUpdater)
  • b2bdd1d32983c35b3b1520d83d89d197 (zshrc2)
  • 5fcc12eaba8185f9d0ddecafae8fd2d1 (zshrc2)
  • 97cd4fc94c59121f903f2081df1c9981
  • 28bdd46d8609512f95f1f1b93c79d277
  • 3e23308d074d8bd4ffdb5e21e3aa8f22
  • 088779125434ad77f846731af2ed6781
  • b67f6e534d5cca654813bd9e94a125b9
  • cf54cba05efee9e389e090b3fd63f89b
  • 44fcf7253bcf0102811e50a4810c4e41
  • 690a097b0eea384b02e013c1c0410189
  • 186be45570f13f94b8de82c98eaa8f4f
  • 3c780bcfb37a1dfae5b29a9e7784cbf5
  • 925239817d59672f61b8332f690c6dd6
  • 9c6b7f388abec945120d95d892314ea7
  • 85cd1afbc026ffdfe4cd3eec038c3185
  • 6aaba581bcef3ac97ea98ece724b9092
  • bcbbf7a5f7ccff1932922ae73f6c65b7
  • bde0e001229884404529773b68bb3da0
  • 795f0c68528519ea292f3eb1bd8c632e
  • bc394c859fc379900f5648441b33e5fd
  • 0fe0212fc5dc82bd7b9a8b5d5b338d22
  • 835ebf367e769eeaaef78ac5743a47ca
  • bdd4972e570e069471a4721d76bb5efb
  • https[:]//sarkerrentacars[.]com/zshrc
  • https[:]//turkishfurniture[.]blog/Previewers
  • http[:]//linksammosupply[.]com/zshrc2
  • http[:]//linksammosupply[.]com/VisualStudioUpdaterLs2
  • http[:]//linksammosupply[.]com/VisualStudioUpdater

C&C URLs

  • maconlineoffice[.]com
  • 193.29.13[.]167
  • 88.214.26[.]22
  • https://serviceicloud[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.