HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat

OpenVPNConnect.pkg on VirusTotal

In June 2024, we discovered a macOS version of the HZ Rat backdoor targeting users of the enterprise messenger DingTalk and the social network and messaging platform WeChat. The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server. We noticed that some versions of the backdoor use local IP addresses to connect to C2, which led us to believe the threat may be targeted. This also points to an intention to exploit the backdoor for lateral movement through the victim’s network.

First detected by DCSO researchers in November 2022, HZ Rat initially targeted Windows systems and received commands in the form of PowerShell scripts.

Technical details

Despite not knowing the malware’s original distribution point, we managed to find an installation package for one of the backdoor samples. The file is named

OpenVPNConnect.pkg

:

OpenVPNConnect.pkg on VirusTotal

It was uploaded to VirusTotal in July 2023 and, at the time of research, wasn’t detected by any vendor, like other backdoor samples. The installer takes the form of a wrapper for the legitimate “OpenVPN Connect” application, while the

MacOS

package directory contains two files in addition to the original client:

exe

and

init

.
Structure of the malicious installation package

Structure of the malicious installation package

The system determines which file to run when the application is opened using the

Info.plist

configuration file. The first one to be launched is the

exe

file – a shell script that runs the

init

file, then launches the OpenVPN application:

Contents of the “exe” file

The

init

file is the actual backdoor. When launched, it establishes a connection to C2 based on the list of IP addresses specified in the backdoor itself. In most cases, the samples used port 8081 for connection. Additionally, we found backdoor samples using private IP addresses to connect to C2.
C2 IP addresses in the backdoor code

C2 IP addresses in the backdoor code

All communication with C2 is encrypted using XOR with the key 0x42. To initialize a session, the backdoor sends a random four-byte value, labeled

cookie

in the code. Each message has the following structure:

  • Message code (1 byte);
  • Message length (4 bytes);
  • Message text, where the first 4 bytes contain the data size.
  • The executable file is written in C++ and contains debugging information, making it easy to identify:

    Trojan class with malicious payload

    Trojan class with malicious payload

    The backdoor supports only four basic commands:

    Code
    Function name
    Description

    3, 8, 9
    execute_cmdline
    Execute shell command

    4
    write_file
    Write file to disk

    5
    download_file
    Send file to server

    11
    ping
    Check victim’s availability

    As part of our investigation, we obtained shell commands from the C2 server used to collect the following data about the victim:

    • System Integrity Protection (SIP) status;
    • System and device information, including:
      • Local IP address;
      • Information about Bluetooth devices;
      • Information about available Wi-Fi networks, available wireless network adapters and the network the device is connected to;
      • Hardware specifications;
      • Data storage information;
    • List of applications;
    • User information from WeChat;
    • User and organization information from DingTalk;
    • Username/website value pairs from Google Password Manager.

    Getting data from WeChat

    Getting data from WeChat

    The malware attempts to obtain the victim’s WeChatID, email and phone number from WeChat. This data is stored in plain text in the

    userinfo.data

    file.

    As for DingTalk, attackers are interested in more detailed victim data:

    • Name of the organization and department where the user works;
    • Username;
    • Corporate email address;
    • Phone number.

    The script tries to get this data from the

    orgEmployeeModel

    file. If this file is missing, the malware searches for the user’s phone number and email in the

    sAlimailLoginEmail

    file. If it fails again, it attempts to find the user’s email in one of the DingTalk cache files named

    <date>.holmes.mapping

    . These files are also not encrypted and store data in plain text.
    Getting data from DingTalk

    Getting data from DingTalk

    Infrastructure

    At the time of the study, four control servers were active and returning malicious commands. In some cases, as mentioned, among the specified IP addresses there were private ones as well. Such samples were likely used to control a victim’s device with a previously infected computer within their local network that was used as a proxy to redirect the connection to the C2 server. Typically, this helps to hide the presence of malware on the network, since only the device with the proxy will communicate with C2.

    Some of the detected IP addresses have already been seen in malware attacks targeting Windows devices. Their appearance dates back to 2022, with one of the addresses showing up in HZ Rat attacks of that time.

    Almost all of the C2 servers we found are sited in China. The exceptions are two addresses located in the US and the Netherlands.

    We also found that the installation package mentioned above, according to VirusTotal, was previously downloaded from a domain belonging to MiHoYo, a Chinese video game developer:

    hxxp://vpn.mihoyo[.]com/uploads/OpenVPNConnect.zip.

    It is not yet known for sure how this file got to the legitimate domain and whether the company was hacked.

    Conclusion

    The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active. During the investigation, the malware was only collecting user data, but it could later be used to move laterally across the victim’s network, as suggested by the presence of private IP addresses in some samples. The collected data about victims’ companies and contact information could be used to spy on people of interest and lay the groundwork for future attacks. Also noteworthy is the fact that at the time of the study we had not encountered the use of two of the backdoor commands (write file to disk and send file to server), so the full scope of the attackers’ intentions remains unclear.

    Indicators of compromise

    MD5 file hashes
    Backdoor
    0c3201d0743c63075b18023bb8071e73 – Mach-O 64-bit x86_64 executable
    6cc838049ece4fcb36386b7a3032171f – Mach-O 64-bit x86_64 executable
    6d478c7f94d95981eb4b6508844050a6 – Mach-O 64-bit x86_64 executable
    7a66cd84e2d007664a66679e86832202 – Mach-O 64-bit x86_64 executable
    7ed3fc831922733d70fb08da7a244224 – Mach-O 64-bit x86_64 executable
    9cdb61a758afd9a893add4cef5608914 – Mach-O 64-bit x86_64 executable
    287ccbf005667b263e0e8a1ccfb8daec – Mach-O 64-bit x86_64 executable
    7005c9c6e2502992017f1ffc8ef8a9b9 – Mach-O 64-bit x86_64 executable
    7355e0790c111a59af377babedee9018 – Mach-O 64-bit x86_64 executable
    a5af0471e31e5b11fd4d3671501dfc32 – Mach-O 64-bit x86_64 executable
    da07b0608195a2d5481ad6de3cc6f195 – Mach-O 64-bit x86_64 executable
    dd71b279a0bf618bbe9bb5d934ce9caa – Mach-O 64-bit x86_64 executable

    Malicious installation package
    8d33f667ca135a88f5bf77a0fab209d4 – Apple software package

    C2 IP addresses
    111.21.246[.]147
    123.232.31[.]206
    120.53.133[.]226
    218.193.83[.]70
    29.40.48[.]21
    47.100.65[.]182
    58.49.21[.]113
    113.125.92[.]32
    218.65.110[.]180
    20.60.250[.]230

    Source:: Securelist