Cybersecurity experts have identified a concerning threat known as the HZ RAT backdoor, targeting users of Chinese messaging apps on Apple macOS [2].

Description

The HZ RAT backdoor [1] [2] [4], first observed in November 2022, mimics its Windows counterpart and is distributed through self-extracting zip archives or malicious RTF documents [1] [4]. Once installed, it connects to a command-and-control server to receive instructions [4], potentially carrying out malicious activities such as executing PowerShell commands, writing files to the system [1] [3] [4], and uploading files to the server [4]. This backdoor is believed to be utilized for credential theft and system reconnaissance, gathering sensitive information like WeChatID, email [1] [3], and phone numbers from WeChat users [1]. The campaign has been active since at least October 2020 [1] [3], with C2 servers primarily located in China [1] [3] [4], the US [3], and the Netherlands [3]. The latest variant of the malware poses as OpenVPN Connect, collecting user data for potential lateral movement within victim networks [1].

Conclusion

The ongoing activity of threat actors behind these attacks underscores the critical need for robust security measures to defend against such sophisticated threats. Organizations and individuals must remain vigilant and implement effective cybersecurity practices to safeguard sensitive information and prevent unauthorized access to their systems.

References

[1] https://thehackernews.com/2024/08/macos-version-of-hz-rat-backdoor.html
[2] https://www.krofeksecurity.com/macos-version-of-hz-rat-backdoor-targets-chinese-messaging-app-users/
[3] https://www.techidee.nl/macos-versie-van-hz-rat-backdoor-richt-zich-op-chinese-gebruikers-van-berichten-apps/13375/
[4] https://www.ihash.eu/2024/08/macos-version-of-hz-rat-backdoor-targets-chinese-messaging-app-users/