Users of Chinese instant messaging apps such as DingTalk and WeChat are the target of an Apple macOS version of a backdoor called HZ COUNCIL.
The artifacts “reproduce the functionality of the Windows version of the backdoor almost exactly and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” said Kaspersky researcher Sergey Puzan.
HZ RAT was first documented by German cybersecurity company DCSO in November 2022. The malware was distributed via self-extracting ZIP archives or malicious RTF documents, presumably created using the Royal Road RTF weaponization program.
The RTF document attack chains are designed to deliver the Windows version of the malware running on the attacked host by exploiting a years-old Microsoft Office bug in the equation editor (CVE-2017-11882).
The second distribution method, on the other hand, disguises itself as an installer for legitimate software such as OpenVPN, PuTTYgen or EasyConnect, which, in addition to the actual installation of the lure program, also executes a Visual Basic script (VBS) that is responsible for starting the RAT.
The functions of HZ RAT are relatively simple: it connects to a command-and-control (C2) server to receive further instructions, including executing PowerShell commands and scripts, writing arbitrary files to the system, uploading files to the server, and sending heartbeat information.
Given the limited functionality of the tool, there is suspicion that the malware is primarily used to steal login credentials and investigate the system.
There is evidence that the first versions of the malware were discovered in the wild as early as June 2020. The campaign itself has probably been active since at least October 2020, according to DCSO.
The latest sample discovered by Kaspersky and uploaded to VirusTotal in July 2023 imitates OpenVPN Connect (“OpenVPNConnect.pkg”) and, once launched, establishes contact with a C2 server specified in the backdoor to execute four basic commands similar to those of its Windows counterpart –
- Execute shell commands (e.g. system information, local IP address, list of installed apps, data from DingTalk, Google Password Manager and WeChat)
- Write a file to the hard disk
- Send a file to the C2 server
- Check the availability of a victim
“The malware tries to obtain the victim’s WeChatID, email address and phone number from WeChat,” Puzan said. “As for DingTalk, the attackers are interested in more detailed data about the victim: name of the organization and department the user works in, username, company email address (and) phone number.”
Further analysis of the attack infrastructure revealed that almost all C2 servers, except for two in the US and the Netherlands, are located in China.
In addition, the ZIP archive containing the macOS installation package (“OpenVPNConnect.zip”) is said to have previously been downloaded from a domain of a Chinese video game developer called miHoYo, known for Genshin Impact and Honkai.
It is currently unclear how the file was uploaded to the domain in question (“vpn.mihoyo(.)com”) and whether the server was compromised at some point in the past. It is also unclear how widespread the campaign is, but the fact that the backdoor is still being used even after all these years suggests some degree of success.
“The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active,” Puzan said. “The malware only collected user data, but could later be used to move laterally within the victim’s network, as suggested by the presence of private IP addresses in some examples.”
