NEWS  Security  February 9, 2024  Reading time: 2 Minute(s)

Max (RS editor)

Bitdefender researchers have uncovered a concerning development in the realm of macOS security: the emergence of a new backdoor threat named Trojan.MAC.RustDoor. This sophisticated malware, coded in the Rust programming language, presents a potent danger to macOS devices by enabling malicious actors to steal specific files, package them into archives, and clandestinely transmit them to a command and control (C2) server.

First observed in November 2023, this backdoor, masquerading as a Visual Studio update, has evolved over time, with newer variants surfacing as recently as February 2024. Despite Bitdefender's diligent efforts, the campaign's attribution remains elusive. However, the presence of artifacts and indicators of compromise hints at potential ties to notorious ransomware operators such as BlackBasta and ALPHV/BlackCat.

The complexity of Trojan.MAC.RustDoor is exacerbated by its utilization of the Rust programming language, which poses challenges for security analysts attempting to dissect its malicious operations. This technological choice grants malware authors a distinct advantage, as traditional analysis methods may prove less effective against Rust-based threats.

Trojan.MAC.RustDoor exhibits multiple variants, each with its own set of functionalities and evasion tactics. Variant 1, an initial testing iteration, lays the groundwork for persistence mechanisms but lacks certain critical components. Conversely, Variant 2, an upgraded version, boasts enhanced capabilities, including complex configuration options and an embedded Apple script for data exfiltration. Variant Zero, the most recent variant, retains the backdoor functionality while streamlining other features.

All iterations of Trojan.MAC.RustDoor share a common arsenal of commands, facilitating file manipulation, system reconnaissance, and communication with C2 servers. Notably, the malware leverages various persistence mechanisms, including manipulation of cronjobs, LaunchAgents, ZSH configuration files, and the macOS Dock, to ensure prolonged presence on infected systems.

Communication with C2 servers occurs via specific endpoints, indicating a structured command and control infrastructure maintained by threat actors. Despite ongoing monitoring efforts, the current status of these servers remains elusive, with responses indicating a lack of active communication.

As the investigation into Trojan.MAC.RustDoor continues, it underscores the evolving nature of cybersecurity threats facing macOS users. Bitdefender remains committed to providing updates and insights into this ongoing research, serving as a crucial resource for organizations and individuals striving to safeguard their digital assets.

 SOURCE: HACKREAD | IMAGE CREDITS: FREEPIK / APPLE