February 9, 2024 at 11:00AM
A new Rust-based macOS malware, known as RustDoor, has been spreading as a Visual Studio update, providing backdoor access to compromised systems. Linked to the ALPHV/BlackCat ransomware gang’s infrastructure, it communicates with command and control servers potentially associated with ransomware operations. The malware has advanced capabilities and is distributed under various names, persisting after system reboots to avoid detection.
From the meeting notes, it is clear that there is an emerging threat in the form of a new macOS malware called RustDoor. This malware is distributed as an updater for Visual Studio for Mac, under various names such as ‘zshrc2,’ ‘Previewers,’ and ‘VisualStudioUpdater.’ It is capable of running on both Intel-based (x86_64) and ARM (Apple Silicon) architectures. The malware communicates with command and control (C2) servers and has been linked to the ALPHV/BlackCat ransomware gang.
RustDoor has various backdoor capabilities, including the ability to control compromised systems, exfiltrate data, and persist on devices by modifying system files. It uses Cron jobs and LaunchAgents to schedule its execution and ensure persistence. The commands supported by the malware include listing running processes, executing arbitrary shell commands, uploading and downloading files, displaying messages to the user, and more.
It is important to note that there are at least three variants of RustDoor, with the earliest seen since early October 2023. The researchers have provided known indicators of compromise, including binaries, download domains, and URLs for the command and control servers.
It is crucial for organizations to be aware of this new threat and take necessary precautions to protect their systems from potential compromise by this malware. This may involve updating security products, monitoring network traffic for suspicious activity, and educating employees about the risks associated with phishing and malware attacks.