Summary:
A recent discovery by Kaspersky researchers revealed a new macOS version of the HZ RAT backdoor. This backdoor specifically targets users of DingTalk, an enterprise messaging platform, and WeChat, a popular social media app, both widely used and essentially required in China. The functionality of the macOS variant is nearly identical to its Windows counterpart, with the key difference being the payload received in the form of shell scripts from the attacker's server. These attacks attempt to exploit an expansive attack surface, with an estimated 1.4 billion people actively using iPhones. Notably, some versions of the malware utilize local IP addresses for C2 communication, potentially indicating targeted attacks and the concerning possibility of lateral movement within a victim's network. Almost all of the C2 servers are located in China barring two, which are based in the U.S. and the Netherlands. Despite not knowing the malware’s initial access vector, an installation package for one of the backdoor samples was uncovered. The malicious installer masquerades as the legitimate OpenVPN Connect application. Following installation, a shell script .exe file runs an init file, the actual backdoor. The capabilities of HZ RAT include executing PowerShell commands and scripts, writing arbitrary files to the system, and uploading files to the server. In the observed activity, HZ RAT attempts to obtain the victim's WeChatID, email and phone number. For DingTalk, attackers attempt to steal detailed victim data such as the name of the organization and department where the user works, their username, corporate email address, and phone number.

Security Officer Comments:
The emergence of the macOS version of HZ RAT signifies the continued activity of the threat actors behind this campaign. The targeted apps indicate that the adversary is attempting to target Chinese-speaking individuals. It is suspected that the primary directive of this malware is to harvest credentials and perform reconnaissance. The information being harvested from DingTalk potentially indicates these attacks could be sold on the cybercriminal marketplace to APT Groups, laying the groundwork for future attacks against organizations. While the currently observed behavior focuses on data collection from targeted messaging apps, including user IDs, phone numbers, and even organizational details for DingTalk users, the presence of local IP addresses in some samples suggests potential for lateral movement within compromised networks. This elevates the risk associated with this backdoor as it could be leveraged to expand attackers' reach within a system. Evidence shows that the first iterations of the malware have been detected in the wild as far back as June 2020. It is undetermined how widespread this campaign is however, the historical success of the campaign, evident from its continued use, underscores the importance of maintaining vigilance against this RAT.

It's crucial for organizations, particularly those with a presence in China and utilizing DingTalk or WeChat, to implement robust security measures to protect their users and data. Educating employees about phishing tactics and the dangers of downloading software from unverified sources is essential. Additionally, deploying endpoint detection and response (EDR) solutions is critical to effectively identify and mitigate threats like HZ RAT.

Suggested Corrections:
IOCs for this recent activity are published here.

Although an original distribution point was not discovered by Kaspersky researchers, the malicious installation package disguised as legitimate software highlights the importance of preventing phishing attempts. The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. Users should try to adhere to the following recommendations:

• Do not open emails or download software from untrusted sources
• Do not click on links or attachments in emails that come from unknown senders
• Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion)
• Always verify the email sender's email address, name, and domain
• Backup important files frequently and store them separately from the main system
• Protect devices using antivirus, anti-spam, and anti-spyware software
• Report phishing emails to the appropriate security or I.T. staff immediately

Link(s):
https://thehackernews.com/2024/08/macos-version-of-hz-rat-backdoor.html

https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/