Several cryptocurrency companies are the target of a recently discovered Apple macOS backdoor, codenamed Bring Rust.
RustDoor was first documented by Bitdefender last week, describing it as Rust-based malware capable of collecting and uploading files, as well as gathering information about infected machines. It is distributed masquerading as a Visual Studio update.
While previous trials have uncovered at least three different variants of the backdoor, the exact mechanism of initial propagation remained unknown.
That said, the Romanian cybersecurity firm later told The Hacker News that the malware was used as part of a targeted attack rather than a targeted distribution campaign, noting that it found additional artifacts responsible for downloading and running RustDoor.
“Some of these first-stage downloaders claim to be PDF files with job postings, but in reality they are scripts that download and execute malware while simultaneously downloading and opening a harmless PDF file that presents itself as a nondisclosure agreement,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.
Since then, three more malicious samples serving as first-stage payloads have come to light, each purporting to be a job offer. These ZIP archives predate previous RustDoor binaries by almost a month.
The new component of the attack chain, namely the archive files (“Jobinfo.app.zip” or “Jobinfo.zip”), contains a basic shell script responsible for recovering the implant from a website named turkishfurniture[.]blog. It is also designed to preview a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.
Bitdefender said it also detected four new Golang-based binaries that communicate with a domain controlled by the actor (“sarkerrentacars[.]com”), whose purpose is to “collect information about the victim’s computer and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.
Additionally, the binaries are able to extract disk details via “diskutil list” and retrieve an extensive list of kernel parameters and configuration values using the “sysctl -a” command.
A deeper investigation of the command and control (C2) infrastructure also revealed a leaky endpoint (“/client/bots”) that allows it to gather details about currently infected victims, including timestamps when the infected host and the latest activity was observed.
The development comes as South Korea’s National Intelligence Service (NIS) revealed that an IT organization affiliated with Office No. 39 of North Korea’s Workers’ Party is generating illicit revenue by selling thousands of malware-ridden gambling websites to other cybercriminals for stealing sensitive data. by unsuspecting gamblers.
The company behind the malware-as-a-service (MaaS) scheme is Gyeongheung (also spelled Gyonghung), a 15-member entity based in Dandong that allegedly received $5,000 from an unidentified South Korean criminal organization in exchange for the creation of a single website and $3,000 a month for website maintenance, Yonhap news agency reported.