• Mon. Feb 26th, 2024

Rust-Based Malware Targeting MacOS Users: Unsuspecting Users Beware


Feb 13, 2024
New ‘malware’ found in MacOS that steals files by pretending to be a Visual Studio update

A new type of malware has been identified by a group of researchers from Bitdefender, targeting MacOS users. This backdoor disguises itself as an update to Microsoft Visual Studio Code but is actually used to steal files from the computers of unsuspecting users. The backdoor, named Trojan.MAC.RustDoor, is written in Rust, a programming language that helps cybercriminals evade detection and analysis.

The malware can be used to steal specific files or file types and then archive and upload them to a command and control center (C&C) so that malicious actors can access them. This campaign has been active since at least November of last year and the malware has been running undetected for at least three months.

To distribute itself, the malware spoofs an update to Microsoft’s Visual Studio program and uses names like ‘VisualStudioUpdater’, ‘DO_NOT_RUN_ChromeUpdates’, or ‘zshrc2’. Additionally, the malware runs on multiple types of processors and can include commands like ‘shell’, ‘cd’, ‘sleep’, ‘upload’, ‘taskkill’, or ‘dialog’ that allow cybercriminals to collect and upload files and obtain information about the infected device.

Despite these findings, Bitdefender has indicated that, for the moment, this malware campaign cannot be attributed to any known threat actor. However, they have observed similarities with the ransomware ALPHV/BlackCat which also uses the Rust programming language and “common domains” such as command-and-control infrastructure servers.

This new malware poses a significant threat to MacOS users and highlights the importance of staying vigilant and employing strong cybersecurity practices to protect against such attacks. It is essential for MacOS users to keep their software up-to-date, avoid downloading software from unknown sources, use antivirus software regularly, and maintain strong passwords to prevent attacks like this one from happening again in the future.

Leave a Reply