Hacker in dark attire steals data by reaching through laptop screen.

RustDoor macOS Malware Linked To The ALPHV/BlackCat Ransomware Group

RustDoor, recently identified by Bitdefender security researchers, has emerged as a new threat. This malicious program disguises itself as a legitimate Visual Studio upgrade, targeting Mac users.

The backdoor attack commenced in November 2023, spreading upgraded versions of the malware. According to Bitdefender’s cybersecurity experts, RustDoor is coded in Rust and operates on Intel-based (x86_64) and ARM (Apple Silicon) architectures.

Bitdefender researchers discovered a connection between the RustDoor malware and known ransomware attacks. Their investigation found that the malware communicated with four command and control sites, three of which had previously been linked to ALPHV/BlackCat ransomware attacks on macOS machines.

This shows a possible interaction or common infrastructure between RustDoor developers and ALPHV/BlackCat, showcasing hackers’ changing techniques.

The researchers notice that the available data is insufficient to establish a clear link between the use of RustDoor and a particular threat actor. It appears that there may be a connection between the BlackBasta and ALPHV/BlackCat ransomware operators and the artefacts and indications of compromise (IoCs) in question.

Andrei Lapusneau, security researcher at Bitdefender, said:

ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model.

The US authorities claimed the end of the BlackCat ransomware operation in December 2023. They also disclosed a decryption tool that would allow over 500 victims to restore access to data previously encrypted by the attack.

Cybercriminals often choose hosting services that provide anonymity for illegal operations due to tighter limits on available infrastructure options. As a result, different threat actors may launch attacks using the same servers.

Despite having built-in encryption, Macs, especially those with M1 chips, had not experienced a significant ransomware attack until December 2022. While Windows and Linux systems are primary targets for cybercrime, the increasing popularity of MacOS might make Macs an easier target for cybercriminals.

However, this should not lead you to believe that Macs are invulnerable. MacOS increasing popularity might make them an easier target for cybercriminals.

Understanding the Risks of RustDoor Backdoor Malware

RustDoor primarily functions as an updater for Visual Studio for Mac, Microsoft’s integrated programming environment (IDE) for macOS. However, it should be noted that Visual Studio for Mac will be shut down on August 31st of this year.

Researchers confirm that RustDoor can administer compromised systems to access data, operating by changing system files. Once a system is compromised, the malware connects with command and control (C2) servers through specific endpoints for registration, task execution, and data exfiltration.

The backdoor uses Cron jobs and LaunchAgents to schedule its execution, assuring exact timing. This technique ensures reliability throughout system reboots and initiates activities upon user login.

The Persistent Intrusion Tactics Used by the Backdoor
The Persistent Intrusion Tactics Used by the Backdoor (Bitdefender)

The backdoor modifies the ~/.zshrc file silently to ensure secure execution in new terminal sessions. Additionally, it uses system instructions to blend in with legitimate apps and user activities by integrating itself into the Dock.

Bitdefender has identified at least three RustDoor variations, with the first appearing as early as October 2023. A test version developed on November 22 hinted at an improved version reported on November 30.

In addition to an integrated Apple script designed for targeted file exfiltration with specific extensions, the latest version features a complex JSON configuration.

Despite built-in security measures like Gatekeeper and Sandboxing, Mac systems can still be vulnerable to malware attacks. Strengthening Mac security involves employing antivirus software, activating the Mac firewall, and ensuring Gatekeeper is used to obtain safe apps.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts