Emerging RustDoor Malware

A fresh strain of macOS malware, built on Rust, has emerged, masquerading as a Visual Studio update. This malicious software, designed to create backdoor access to compromised systems, is affiliated with the notorious ALPHV/BlackCat ransomware gang.

The campaign responsible for disseminating this backdoor commenced at least as early as November 2023 and continues to proliferate with updated iterations of the malware. Dubbed RustDoor by cybersecurity experts at Bitdefender, the malware is versatile, capable of operating on both Intel-based (x86_64) and ARM (Apple Silicon) architectures.

Bitdefender researchers analyzing RustDoor have identified communication with four command and control (C2) servers. Further investigation reveals that three of these servers have been previously associated with ransomware attacks attributed to an ALPHV/BlackCat affiliate. However, conclusive evidence linking RustDoor to a specific threat actor remains elusive. Nonetheless, artifacts and indicators of compromise (IoCs) suggest a potential connection with the BlackBasta and ALPHV/BlackCat ransomware operators.

Due to constraints on cybercriminals in selecting infrastructure — restricting them to hosting services that offer anonymity and tolerate illicit activities — it’s commonplace for multiple threat actors to share the same servers for their attacks.

While macOS encryption tools do exist, there are no documented instances, as of now, of ransomware targeting Apple’s operating system, apart from builds for Apple M1 from LockBit predating December 2022. The primary targets for such operations remain Windows and Linux systems, given their prevalence in enterprise environments.

RustDoor is predominantly distributed under various guises, primarily as an update for Visual Studio for Mac, Microsoft’s integrated development environment (IDE) for macOS, slated for discontinuation on August 31 of this year.

This macOS backdoor is deployed under multiple names, including ‘zshrc2,’ ‘Previewers,’ ‘VisualStudioUpdater,’ ‘VisualStudioUpdater_Patch,’ ‘VisualStudioUpdating,’ ‘visualstudioupdate,’ and ‘DO_NOT_RUN_ChromeUpdates.’

According to Bitdefender, the malware has been actively distributed and remained undetected for at least three months. It comes in three versions, packaged as FAT binaries containing Mach-O files for both x86_64 Intel and ARM architectures, albeit not bundled in typical parent files like Application Bundles or Disk Images.

Bitdefender notes that this unorthodox distribution method reduces the campaign’s digital footprint and lowers the likelihood of security products flagging the backdoor as suspicious.

In a recent report, researchers detail RustDoor’s functionalities, including its ability to control compromised systems, exfiltrate data, and persist on devices by modifying system files. Upon infecting a system, the malware communicates with C2 servers using specific endpoints for registration, task execution, and data exfiltration.

Supported commands include listing running processes (‘ps’), executing arbitrary shell commands (‘shell’), changing directories (‘cd’), creating new directories (‘mkdir’), removing files (‘rm’), removing directories (‘rmdir’), pausing execution (‘sleep’), uploading files to a remote server (‘upload’), terminating other malware processes (‘botkill’), displaying messages or prompts (‘dialog’), ending specified processes (‘taskkill’), and downloading files from a remote server (‘download’).

The backdoor employs Cron jobs and LaunchAgents to schedule its execution at specific times or when the user logs in, ensuring persistence across system reboots. Additionally, it modifies the ~/.zshrc file to execute in new terminal sessions or adds itself to the Dock with system commands, enabling it to blend in with legitimate applications and user activities.

Bitdefender has identified at least three variants of RustDoor, with the earliest observed in early October 2023. Subsequent versions were spotted on November 22 (appearing to be a test version) and November 30 (which included a complex JSON configuration and an embedded Apple script for file exfiltration).

The researchers have compiled a list of known indicators of compromise for RustDoor, encompassing binaries, download domains, and URLs associated with the four C2 servers.

Happy Hunting!

— j1nx