Skip to content Skip to footer

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

In recent news, multiple companies operating in the cryptocurrency sector are currently facing the brunt of an ongoing campaign. The campaign involves a newly discovered Apple macOS backdoor, which has been given the codename RustDoor. RustDoor is a Rust-based that can harvest and upload files and gather information about the infected machines. The is distributed by masquerading itself as a Visual Studio update.

Bitdefender was the first to document RustDoor last week, but the initial propagation method of the backdoor remained unknown. However, the cybersecurity firm revealed that the was a targeted attack rather than a shotgun distribution campaign. It found additional artifacts that are responsible for downloading and executing RustDoor. Some of these first-stage downloaders claim to be PDF files with job offerings. Still, they are scripts that download and run the while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement.

Since then, three more malicious samples that act as first-stage payloads have come to light, each purporting to be a job offer. These ZIP archives predate the earlier RustDoor binaries by nearly a month. The new component of the attack chain contains a basic shell responsible for fetching the implant from a website named “turkishfurniture[.]blog”. It's also engineered to preview a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.

Additionally, Bitdefender has detected four new Golang-based binaries that communicate with an actor-controlled domain, whose purpose is to collect information about the victim's machine and its network connections using the system_profiler and network setup , which are part of the macOS operating system. In addition, the binaries can extract details about the disk via the “diskutil list,” retrieving a comprehensive list of kernel parameters and configuration values using the “sysctl -a” command.

Further investigation of the command-and-control (C2) infrastructure has revealed a leaky endpoint (“/client/bots”) that makes it possible to glean details about the currently infected victims, including the timestamps when the infected host was registered and the last activity was observed. According to Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender, “We know there are at least three victim companies until now. The attackers seem to target senior engineering staff, and this explains why the is disguised as a Visual Studio update. We don't know if there are any other companies compromised at this point, but we are still investigating this.”

It has also been discovered that the victims are geographically linked, with two of the victims located in Hong Kong and the other one in Lagos, Nigeria. This development comes as 's National Intelligence Service (NIS) revealed that an IT organization affiliated with the Workers' Party of 's Office No. 39 is generating illicit revenue by selling thousands of malware-laced gambling websites to other cybercriminals for stealing sensitive data from unsuspecting gamblers.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I don't like the idea that I’m not in control of my lifeNeo

Deitasoft © 2024. All Rights Reserved.