They identify a new 'malware' in MacOS capable of stealing files as soon as a Visual Studio update


A group of researchers has identified a new ‘malware’ targeting users with MacOS computers, capable of stealing files through a backdoor, which is distributed as an update to the Microsoft Visual Studio Code program.

It has been detailed by a group of researchers from the cyber security company Bitdefender, who assure that it is a new backdoor that belongs to a family of ‘malware’ that was “not previously documented” and that comes with a Windows Shows possible links. ‘Ransomware’ group.

In this framework, as explained in a statement on their website, this backdoor, which they refer to as Trojan.Mac.RustDoor, is targeted at macOS users and is written in Rust, which is a “relatively New” programming language. The ‘malware’ ecosystem provides cyber criminals with an advantage when it comes to attack detection and analysis.

Read Also:  Marshall updates its noise canceling headphones

Specifically, as they observed, malware can be used to steal specific files or file types, as well as store them and upload them to a command and control center (C&C). so that malicious actors can access them.

Furthermore, according to researchers, this is a campaign that has been active since at least November of last year. The latest malware sample found is dated the 2nd of this month, indicating that it has been “running unknown for at least three months.”

Thus, in order to be distributed, this ‘malware’ impersonates updates to Microsoft’s Visual Studio program. In fact, some of the identified samples have names like ‘VisualStudioUpdater’, ‘VisualStudioUpdater_Patch’, ‘VisualStudioUpdating’ and ‘VisualStudioUpdate’. However, other samples of this ‘malware’ have also been found with the names ‘DO_NOT_RUN_ChromeUpdates’ or ‘zshrc2’.

Read Also:  LG improves home theater sound with the S95TR and SG10TY Atmos Bar at #CES2024

Similarly, all files are shown as binary FAT, that is, they can run on multiple types of processors, in this case, for architectures based on Intel (x86_64) and ARM (Apple Silicon).

Among the different variants that researchers have identified in this ‘malware’ campaign, commands like ‘shell’, ‘cd’, ‘sleep’, ‘upload’, ‘taskkill’ or ‘dialog’ have been found, with the help of which The cyber criminal can collect and upload files, as well as obtain information about the device on which this is being done.

As he explained, in particular, the ‘sysctl’ command together with the ‘pwd’ and ‘hostname’ commands sends commands to the registration endpoint and to the infrastructure servers – that is, the servers that control the information. are, centralize and execute the necessary actions – a victim ID file, which is used in “the rest of the communication between the C&C and the backdoor”.

Read Also:  Laser beams allowed paved roads to be built on the Moon

With all that said, Bitdefender has indicated that, at this time, this ‘malware’ campaign cannot be attributed to any known threat actor. However, they have noted similarities with the ALPHV/BlackCat ransomware, which also uses “common domains” such as the Rust programming language and command and control infrastructure servers.

In fact, they have reported that three of the four command and control servers used in this ‘malware’ are linked to previous ‘ransomware’ campaigns aimed at Windows clients.


Please enter your comment!
Please enter your name here