In June 2024, we discovered a macOS version of the HZ Rat backdoor targeting users of the enterprise messenger DingTalk and the social network and messaging platform WeChat. The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server. We noticed that some versions of the backdoor use local IP addresses to connect to C2, which led us to believe the threat may be targeted. This also points to an intention to exploit the backdoor for lateral movement through the victim’s network.
First detected by DCSO researchers in November 2022, HZ Rat initially targeted Windows systems and received commands in the form of PowerShell scripts.
Technical details
Despite not knowing the malware’s original distribution point, we managed to find an installation package for one of the backdoor samples. The file is named
OpenVPNConnect.pkg:It was uploaded to VirusTotal in July 2023 and, at the time of research, wasn’t detected by any vendor, like other backdoor samples. The installer takes the form of a wrapper for the legitimate “OpenVPN Connect” application, while the
MacOS package directory contains two files in addition to the original client: exe and init.The system determines which file t ..
Support the originator by clicking the read the rest link below.