RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

Multiple companies operating in the cryptocurrency sector are the target of an ongoing malware campaign that involves a newly discovered Apple macOS backdoor codenamed RustDoor.

BLOGS

Winston Ighodaro

2/17/20243 min read

Multiple companies operating in the cryptocurrency sector are the target of an ongoing malware campaign that involves a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It's distributed by masquerading itself as a Visual Studio update.

While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently informed the media that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor.

"Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement," Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples that act as first-stage payloads have come to light, each of them purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.

The new component of the attack chain – i.e., the archive files ("Jobinfo.app.zip" or "Jobinfo.zip") – contains a basic shell script that's responsible for fetching the implant from a website named turkishfurniture[.]blog. It's also engineered to preview a harmless decoy PDF file ("job.pdf") hosted on the same site as a distraction.

Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain ("sarkerrentacars[.]com"), whose purpose is to "collect information about the victim's machine and its network connections using the system_profiler and networksetup utilities, which are part of the macOS operating system.

In addition, the binaries are capable of extracting details about the disk via "diskutil list" as well as retrieving a wide list of kernel parameters and configuration values using the "sysctl -a" command.

A closer investigation of the command-and-control (C2) infrastructure has also revealed a leaky endpoint ("/client/bots") that makes it possible to glean details about the currently infected victims, including the timestamps when the infected host was registered and the last activity was observed.

"We know there are at least three victim companies until now," Botezatu said. "The attackers seem to target senior engineering staff – and this explains why the malware is disguised as a Visual Studio update. We don't know if there are any other companies compromised at this point, but we are still investigating this."

"It looks that the victims are indeed geographically linked – two of the victims are in Hong Kong, while the other one is in Lagos, Nigeria."

The development comes as South Korea's National Intelligence Service (NIS) revealed that an IT organization affiliated with the Workers' Party of North Korea's Office No. 39 is generating illicit revenue by selling thousands of malware-laced gambling websites to other cybercriminals for stealing sensitive data from unsuspecting gamblers.

The company behind the malware-as-a-service (MaaS) scheme is Gyeongheung (also spelled Gyonghung), a 15-member entity based in Dandong that has allegedly received $5,000 from an unidentified South Korean criminal organization in exchange for creating a single website and $3,000 per month for maintaining the website, Yonhap News Agency reported.