A team of researchers from the cybersecurity company Bitdefender has discovered a new malware that is targeting users with MacOS computers. This malware, known as Trojan.MAC.RustDoor, is capable of stealing files through a backdoor and is distributed as a Microsoft Visual Studio code program update.
The backdoor is part of an undocumented malware family and appears to have links to a group of Windows ransomware. The backdoor is written in Rust, a relatively new programming language in the malware ecosystem, which offers cybercriminals advantages when it comes to evading attack detection and analysis.
Researchers found that this malware can steal specific files or file types, as well as archive them and upload them to the command and control center (C&C) for malicious actors to access. The campaign has been active since at least November 2020 and has been running undetected for at least three months.
In order to distribute itself, this malware spoofs an update to Microsoft’s Visual Studio program and uses file names such as ‘VisualStudioUpdater’, ‘DO_NOT_RUN_ChromeUpdates’, or ‘zshrc2’. The files are displayed as Binary FAT, meaning they can run on multiple types of processors based on Intel (x86_64) and ARM (Apple Silicon) architectures.
Researchers have identified various versions of this malware and found commands that allow cybercriminals to collect and upload files, as well as obtain information about the device itself where the backdoor is being carried out. However, no known threat actor has been attributed to this malware campaign yet. However, it shows similarities with the ransomware ALPHV/BlackCat, which also uses the Rust programming language and common domains for command and control infrastructure servers.
Three out of four command and control servers used in this malware have been associated with previous ransomware campaigns targeting Windows customers. This indicates a possible connection between the MacOS malware and the Windows ransomware campaigns.