A newly discovered Apple macOS backdoor, named RustDoor, is targeting multiple companies in the cryptocurrency sector through a sophisticated malware campaign. Developed in Rust, the malware operates on both Intel-based and ARM architectures.
Researchers from Bitdefender have been tracking the malware since at least November 2023 and discovered that it communicates with C2 servers associated with the notorious ALPHV/BlackCat ransomware gang.
Distribution method
RustDoor is distributed primarily as an updater for Visual Studio for Mac, under different names such as 'zshrc2,' 'Previewers,' 'VisualStudioUpdater,' 'VisualStudioUpdater_Patch,' 'VisualStudioUpdating,' 'visualstudioupdate,' and 'DO_NOT_RUN_ChromeUpdates'.
In some cases, the malware was found masquerading as PDF files, claiming confidential agreements regarding a job from cryptocurrency firms.
The malware has been under active distribution and has at least three variants that come packaged as FAT binaries containing Mach-O files for x86_64 Intel and ARM architectures, making them less susceptible to being flagged by security products.
Post-infiltration activities
After infecting a system, the malware communicates with C2 servers to control compromised systems, execute tasks, and exfiltrate data.
Additionally, RustDoor uses Cron jobs and LaunchAgents to schedule its execution at specific times or when the user logs in, thus making sure it survives system reboots.
So far, three victims, two located in Hong Kong and one in Nigeria, have been identified.
Conclusion
Researchers have shared a list of known IOCs associated with RustDoor, which includes binaries, download domains, and URLs. Moreover, organizations should refrain from downloading updates from unknown sources to stay safe.