August 27, 2024 at 12:33PM
Chinese instant messaging app users are targeted by HZ RAT, a backdoor malware on Apple macOS replicating Windows version. Distributed via RTF documents and software installers, it connects to C2 server for instructions, likely for credential harvesting and reconnaissance. Recent sample impersonates OpenVPN, collecting user data, with most C2 servers located in China.
After reviewing the meeting notes, here are the key takeaways:
– Chinese instant messaging app users are being targeted by an Apple macOS version of a backdoor named HZ RAT.
– The backdoor replicates the functionality of the Windows version and is distributed via self-extracting zip archives or malicious RTF documents.
– Attack chains involving RTF documents exploit a Microsoft Office flaw to deploy the Windows version of the malware.
– HZ RAT masquerades as legitimate software installers and connects to a command-and-control (C2) server to receive further instructions.
– It is suspected that the malware is primarily used for credential harvesting and system reconnaissance activities.
– Evidence shows that the campaign has been active since at least October 2020, with C2 servers primarily located in China.
– The latest sample impersonates OpenVPN Connect and attempts to obtain victim data from WeChat and DingTalk.
– Most C2 servers are located in China, with some based in the U.S. and the Netherlands.
The article provides detailed insights into the HZ RAT malware and its operations, with a focus on its targeting of Chinese instant messaging app users and the methods used for distribution. Additionally, it highlights the potential threat posed by this malware and the ongoing activity of the threat actors behind the attacks.
Feel free to reach out if you need further analysis or additional information.