MacOS users of some of the biggest chat apps around are being hit with new malware scam

News
By
published

If you're using WeChat or DingTalk, your sensitive data might be at risk

Two cybercriminals escape with stolen login credentials
(Image credit: Getty Images)
Jump to:

Chinese macOS users who utilize the DingTalk and WeChat apps to communicate with others are being targeted with new infostealing malware, experts have warned.

Cybersecurity researchers at Kaspersky analyzed a new malware sample, recently uploaded to VirusTotal, to discover hackers have taken a known infostealer called HZ RAT, and repurposed it for macOS.

HZ RAT has been around for almost half a decade (since 2020), but was first identified by the German cybersecurity outlet DCSO in late 2022. For an infostealer, HZ RAT is relatively rudimentary and unsophisticated. It can connect to a command & control (C2) server, execute PowerShell commands and scripts, write arbitrary files to the target system, upload files, and send system information.

Chinese C2 servers

The Hacker News claims that given its limited functionality, HZ RAT is probably used for credential harvesting and system reconnaissance.

Now, someone took it and made an identical copy, just for macOS. “The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky said.

Another aspect where Windows and macOS versions are similar is how they end up on the target endpoint to begin with. While Windows variants impersonated legitimate software such as OpenVPN, PuTTYgen, or EasyConnect, macOS versions so far impersonate the OpenVPN Connect client.

The files grabbed with HZ RAT differ, depending on the chat app in use, Kaspersky further explained: “The malware attempts to obtain the victim's WeChatID, email, and phone number from WeChat," they said. "As for DingTalk, attackers are interested in more detailed victim data: Name of the organization and department where the user works, username, corporate email address, [and] phone number."

While the identity of the attackers is unknown, the researchers managed to determine where the C2 infrastructure is located. The majority of the servers are based in China, with two found in the US and the Netherlands.

Via The Hacker News

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.