New RustDoor macOS Malware Disguised as Visual Studio Update
A fresh wave of malware targeting macOS users has emerged, masquerading as a Visual Studio update. Dubbed RustDoor by cybersecurity experts at Bitdefender, this malicious software aims to infiltrate systems and establish backdoor access for cybercriminals, utilizing infrastructure linked to the notorious ALPHV/BlackCat ransomware gang.
The campaign spreading this backdoor commenced as early as November 2023 and continues to deploy updated variants of the malware to compromise unsuspecting users.
Written in Rust, a programming language known for its performance and reliability, RustDoor is capable of running on both Intel-based (x86_64) and ARM (Apple Silicon) architectures, ensuring broad compatibility across different macOS systems.
Potential Connection to Ransomware Operations Bitdefender researchers uncovered that RustDoor communicates with four command and control (C2) servers. Further investigation revealed that three of these servers had been previously associated with ransomware attacks linked to the ALPHV/BlackCat ransomware group.
Although there is insufficient evidence to definitively link RustDoor to a specific threat actor, artifacts and indicators of compromise suggest a possible association with the BlackBasta and ALPHV/BlackCat ransomware operators.
Distribution and Characteristics RustDoor is primarily distributed under the guise of a Visual Studio for Mac update, leveraging various names such as 'zshrc2,' 'Previewers,' and 'VisualStudioUpdater_Patch.' The malware has been actively distributed for at least three months and has managed to evade detection during this period.
The malware exists in three versions, each packaged as FAT binaries containing Mach-O files for both Intel and ARM architectures. This distribution method, although unconventional, reduces the campaign's digital footprint and lowers the likelihood of detection by security software.
Functionality and Persistence Once installed on a system, RustDoor grants attackers control over compromised devices and facilitates data exfiltration. It achieves persistence by modifying system files and utilizes Cron jobs and LaunchAgents to schedule execution at specific times or user login events, ensuring it survives system reboots.
RustDoor's capabilities include executing arbitrary shell commands, manipulating files and directories, terminating processes, and communicating with remote servers for data exfiltration and downloading additional malware components.
To blend in with legitimate applications and activities, RustDoor modifies the ~/.zshrc file to execute in new terminal sessions and adds itself to the Dock using system commands.
Conclusion As RustDoor continues to evolve and spread, users are urged to remain vigilant and implement robust security measures to protect against potential threats. By staying informed about emerging malware trends and employing best practices for cybersecurity, individuals and organizations can mitigate the risks posed by malicious actors in the digital landscape.