HZ RAT Backdoor Targets macOS Users of DingTalk and WeChat: A Comprehensive Analysis

In a significant development in the cybersecurity landscape, researchers from Kaspersky have identified a new variant of the HZ RAT backdoor specifically targeting macOS users. This discovery, made in June 2024, marks the first time this backdoor has been seen attacking macOS systems. The primary targets of this malware are users of the enterprise messaging platform DingTalk and the popular social networking application WeChat. This follows earlier detections of the HZ RAT backdoor attacking Windows systems, first reported by DCSO researchers in November 2022. The emergence of this macOS variant underscores the evolving threat landscape and the increasing sophistication of cyber threats.

The macOS version of the HZ RAT backdoor closely mirrors its Windows counterpart in terms of functionality, with the primary difference being the form of the payload it receives. While the Windows version utilizes PowerShell scripts to receive commands from attackers, the macOS variant employs shell scripts delivered from a command-and-control (C2) server. This method of payload delivery allows the malware to execute a wide range of malicious activities, including credential harvesting, system reconnaissance, and data exfiltration. The ability to adapt and target different operating systems demonstrates the versatility and persistence of the threat actors behind this malware.

The initial infection vector for the macOS version of the HZ RAT backdoor remains unclear. However, researchers discovered an installation package masquerading as a legitimate OpenVPN application, named openvpnconnect.pkg. This package was uploaded to VirusTotal in July 2023 and serves as a wrapper for the genuine OpenVPN Connect application. Upon execution, the installer launches a shell script called exe, which in turn initiates the actual backdoor component, named init. This deceptive tactic of disguising malware as legitimate software is a common strategy used by cybercriminals to bypass security measures and trick users into installing malicious programs.

Once installed, the HZ RAT backdoor establishes a connection to its C2 server using XOR encryption and a random cookie value. This communication method ensures that the data transmitted between the infected system and the C2 server remains encrypted and difficult to intercept. The backdoor then proceeds to gather extensive user data from DingTalk and WeChat, including names, email addresses, phone numbers, and workplace details. This information is stored in plain text, making it easily accessible to the attackers. The ability to harvest such sensitive information highlights the potential impact of this malware on both individual users and organizations.

During their investigation, researchers identified four active C2 servers associated with the HZ RAT backdoor. Most of these servers were located in China, with two exceptions found in the United States and the Netherlands. The presence of private IP addresses in some samples suggests that the attackers may be using local networks for communication, indicating a targeted approach. This also raises the possibility of lateral movement within victim networks, allowing the attackers to spread the malware to other systems and gain deeper access to sensitive information. The strategic placement of C2 servers across different regions further complicates efforts to trace and mitigate the threat.

The actors behind the HZ RAT backdoor have demonstrated a high level of sophistication and adaptability. Despite the initial detection of the Windows version in 2022, they have continued to evolve their tactics and expand their target base to include macOS users. The fact that the backdoor is still being actively used after several years suggests that the attackers have achieved a certain level of success. The collected data could be used for various malicious purposes, including espionage, financial fraud, and further cyberattacks. The full scope of the attackers’ intentions remains unclear, as some backdoor commands, such as writing files to disk and sending files to the server, were not encountered during the investigation.

One notable aspect of the HZ RAT backdoor is its use of debugging information within the executable file. This makes the malware easily identifiable, but it also indicates that the attackers may be using this information for development and testing purposes. The inclusion of debugging data could potentially provide valuable insights into the malware’s behavior and functionality, aiding cybersecurity researchers in developing effective countermeasures. However, it also highlights the ongoing challenge of keeping pace with the rapidly evolving tactics and techniques employed by cybercriminals.

The discovery of the macOS variant of the HZ RAT backdoor serves as a stark reminder of the growing threat to macOS users. Despite its reputation for strong security, macOS is not immune to vulnerabilities and exploits. The increasing popularity of macOS in corporate environments makes it an attractive target for cybercriminals seeking to gain access to valuable data. This trend underscores the need for robust cybersecurity measures and heightened vigilance among macOS users to protect against such threats. Regular software updates, strong password policies, and the use of reputable security solutions are essential steps in mitigating the risk of malware infections.

The broader implications of the HZ RAT backdoor extend beyond individual users to organizations and enterprises. The ability of the malware to collect detailed information from corporate messaging platforms like DingTalk poses a significant risk to business operations and data security. The potential for lateral movement within networks further amplifies this threat, as attackers could leverage the backdoor to compromise additional systems and gain deeper access to sensitive information. Organizations must prioritize threat exposure management and implement comprehensive security strategies to defend against such sophisticated attacks.

In addition to the HZ RAT backdoor, Kaspersky’s research highlights other advanced persistent threats (APTs) and malware campaigns targeting various regions and sectors. For instance, the Blindeagle group has been active in Latin America, while the Eastwind group has targeted Russian organizations. The emergence of new backdoors and remote access Trojans (RATs) underscores the dynamic nature of the cyber threat landscape. Staying informed about these developments and adopting proactive security measures is crucial for individuals and organizations alike to safeguard their digital assets.

The ongoing investigation into the HZ RAT backdoor and its associated infrastructure remains a priority for cybersecurity researchers. The identification of C2 servers and the analysis of malware samples provide valuable insights into the attackers’ methods and objectives. Collaboration between cybersecurity firms, law enforcement agencies, and other stakeholders is essential to disrupt the activities of cybercriminals and mitigate the impact of their attacks. Sharing threat intelligence and best practices can help build a more resilient cybersecurity ecosystem capable of defending against evolving threats.

As the digital landscape continues to evolve, so too do the tactics and techniques employed by cybercriminals. The discovery of the macOS variant of the HZ RAT backdoor is a testament to the adaptability and persistence of threat actors. It also serves as a reminder of the importance of continuous vigilance and proactive security measures. By staying informed about emerging threats, implementing robust security practices, and fostering collaboration within the cybersecurity community, we can better protect ourselves and our digital assets from the ever-present danger of cyberattacks.