A remote access trojan (RAT), HZ RAT, which has been attacking Windows-based devices since at least 2020, was recently updated and changed to target Mac users as well.
Typically, a RAT is a type of malware that an attacker uses to take remote control of a target computer and gain full administrator capabilities.
RATs are often delivered to their target as an email attachment via phishing emails or downloaded along with applications that appear to be legitimate user requests, such as video games.
On September 5, Intego said a new version of the HZ RAT, designed to attack macOS environments, had been released into the wild.
Meet the CISO, join the virtual panel to learn about compliance – Sign up for free
According to previous reports about the HZ RAT, China is the origin host of the malware, even though Intego does not disclose attribution information.
HZ RAT, a recent addition to the Mac malware family, is a tool that gives the attacker full remote administration access. This RAT first appeared on Windows computers in 2022, and now it has made its way to Mac.
Behavior of the macOS HZ RAT malware
As stated in the Moonlock report, HZ RAT can spy on users and steal data, but it is not a legitimate thief due to its ingenuity and persistence. As a remote access trojan, the malware provides the attacker with full remote administrator capabilities.
“The malware can take screenshots, record what a user is typing, steal data from Google Password Manager, and search for user data to breach WeChat and DingTalk — both popular Mac apps in China,” it said. report.
After the malware is installed, it establishes a connection with a command and control server to obtain more instructions.
This implies that the attacker has the ability to upload and extract files to their server, write arbitrary files to the system, and execute scripts and PowerShell commands from remote locations.
It is believed that pit attacks, malicious fraudulent Google ads and website impersonation could be used to spread the new Mac malware.
From a compromised Mac, the malware can collect the following information:
- Local IP address
- Bluetooth device data
- Data about Wi-Fi networks and wireless network adapters
- Information about the network to which the device is connected
- Hardware specifications
- Information about data storage
- List of apps on the breached device
- Information from WeChat
- Data about users and organizations from DingTalk
- Google Password Manager usernames and websites
Although the malware does not harvest passwords from Google Password Manager, actors are suspected of using stolen password leaks obtained on the dark web to combine them with usernames and other data extracted by the malware.
The true purpose of this initiative is unknown, other than data collection. Even more worrying is that security vendors have failed to detect this ransomware.
Additionally, Intego discovered a malware sample impersonating the OpenVPN Connect VPN app. Safelist analysis reveals that this malware poses as OpenVPN Connect.
A 2022 examination of the Windows version of this malware also discovered several Chinese IP addresses and domains associated with this malware operation.
About 80% of the IPs on the list were found to be active but unreachable, with the remaining 20% inactive.
Recommendation
To protect your Mac against these and other risks, download software only from trusted sources, such as the Apple App Store. Update your operating system and security software and be alert for suspicious communications, links or attachments.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial
#MacOS #malware #attackers #control #device #remotely
