Several companies operating in the cryptocurrency sector are the target of a newly discovered Apple macOS backdoor codenamed RustDoor.
RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. Itโs distributed by masquerading itself as a Visual Studio update.
While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.
That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.
โSome of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement,โ Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.
Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.
The new component of the attack chain โ i.e., the archive files (โJobinfo.app.zipโ or โJobinfo.zipโ) โ contains a basic shell script thatโs responsible for fetching the implant from a website named turkishfurniture[.]blog. Itโs also engineered to preview a harmless decoy PDF file (โjob.pdfโ) hosted on the same site as a distraction.
Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain (โsarkerrentacars[.]comโ), whose purpose is to "collect information about the victimโs machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.
In addition, the binaries are capable of extracting details about the disk via โdiskutil listโ as well as retrieving a wide list of kernel parameters and configuration values using the โsysctl -aโ command.
A closer investigation of the command-and-control (C2) infrastructure has also revealed a leaky endpoint (โ/client/botsโ) that makes it possible to glean details about the currently infected victims, including the timestamps when the infected host was registered and the last activity was observed.
The development comes as South Koreaโs National Intelligence Service (NIS) revealed that an IT organization affiliated with the Workersโ Party of North Koreaโs Office No. 39 is generating illicit revenue by selling thousands of malware-laced gambling websites to other cybercriminals for stealing sensitive data from unsuspecting gamblers.
The company behind the malware-as-a-service (MaaS) scheme is Gyeongheung (also spelled Gyonghung), a 15-member entity based in Dandong that has allegedly received $5,000 from an unidentified South Korean criminal organization in exchange for creating a single website and $3,000 per month for maintaining the website, Yonhap News Agency reported.
Found this article interesting? Follow us on Twitter ๏ and LinkedIn to read more exclusive content we post.