Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.
The backdoor, codenamed RustDoor by Bitdefender, has been found to impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures.
The exact initial access pathway used to propagate the implant is currently not known, although it's said to be distributed as FAT binaries that contain Mach-O files.
Multiple variants of the malware with minor modifications have been detected to date, likely indicating active development. The earliest sample of RustDoor dates back to November 2, 2023.
It comes with a wide range of commands that allow it to gather and upload files, and harvest information about the compromised endpoint.
Some versions also include configurations with details about what data to collect, the list of targeted extensions and directories, and the directories to exclude.
The captured information is then exfiltrated to a command-and-control (C2) server.
The Romanian cybersecurity firm said the malware is likely linked to prominent ransomware families like Black Basta and BlackCat owing to overlaps in C2 infrastructure.
"ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model," security researcher Andrei Lapusneau said.
In December 2023, the U.S. government announced that it took down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.
Update
When reached for comment on the possible initial access vector, Bogdan Botezatu, director of threat research and reporting at Bitdefender, told The Hacker News that they found new evidence suggesting that the campaign may have been more targeted than previously thought.
"Our initial assumption was that the malware was spread out through malvertising and impersonation (some domains spreading the malware were similar to some popular social media accounts)."
"However, we have a new lead – we were able to identify a couple of first-stage downloaders – application bundles that are responsible for downloading and executing the backdoor. Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement."
"These new findings lead us to believe that the malware was used in a targeted attack rather than used in a shotgun distribution campaign. This also explains the malware was widely undetected until we published the investigation on Bitdefender Labs."
