A novel Rust-based backdoor is targeting macOS users, discreetly masquerading as an update for Visual Studio. Discovered by researchers, this malware exhibits distinct functionality and has surfaced in three deceptive variants.
Malware Disguised as Developer Software Update
The backdoor’s distribution employs FAT binaries that include Mach-O files compatible with both x84_64 Intel and ARM architectures. Initial reports trace its activity back to as early as November 2023, with the most recent sample detected on February 2nd, 2024.
Three Variants Unveiled
Although sharing core functionalities, the three variants exhibit minor differences. Common commands supported by all variants include process management, file system operations, and data upload and download capabilities. One variant was identified as a test version containing a plist file from a public write-up on macOS evasion techniques.
The second variant flaunts a more complex structure with hefty files housing intricate JSON configurations. It also leverages an AppleScript for data extraction, targeting a range of applications to fool users into disclosing admin passwords via fake dialog boxes.
The third, known as “variant zero,” is the oldest and most rudimentary version, lacking the sophisticated scripts and configurations found in later iterations.
In-depth analysis on these backdoor versions, including their samples, source codes, and behaviors, has been thoroughly detailed in a comprehensive report by Bitdefender. This report links the backdoor to the BlackBasta and ALPHV/BlackCat ransomware groups.
Security practitioners are given an edge with provided “indicators of compromise,” including an extensive list of malicious binaries, deceptive domains used for downloads, and command and control URLs, aiding in the detection and prevention of this stealthy cyber threat.
