In June 2024, we discovered a macOS version of the HZ Rat backdoor targeting users of the enterprise messenger DingTalk and the social network and messaging platform WeChat. The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server. We noticed that some versions of the backdoor use local IP addresses to connect to C2, which led us to believe the threat may be targeted. This also points to an intention to exploit the backdoor for lateral movement through the victim’s network.
First detected by DCSO researchers in November 2022, HZ Rat initially targeted Windows systems and received commands in the form of PowerShell scripts.
Technical details
Despite not knowing the malware’s original distribution point, we managed to find an installation package for one of the backdoor samples. The file is named
OpenVPNConnect.pkg
:
OpenVPNConnect.pkg on VirusTotal
It was uploaded to VirusTotal in July 2023 and, at the time of research, wasn’t detected by any vendor, like other backdoor samples. The installer takes the form of a wrapper for the legitimate “OpenVPN Connect” application, while the
MacOS
package directory contains two files in addition to the original client:
exe
and
init
.
Structure of the malicious installation package
The system determines which file to run when the application is opened using the
Info.plist
configuration file. The first one to be launched is the
exe
file – a shell script that runs the
init
file, then launches the OpenVPN application:
Contents of the “exe” file
The
init
file is the actual backdoor. When launched, it establishes a connection to C2 based on the list of IP addresses specified in the backdoor itself. In most cases, the samples used port 8081 for connection. Additionally, we found backdoor samples using private IP addresses to connect to C2.
C2 IP addresses in the backdoor code
All communication with C2 is encrypted using XOR with the key 0x42. To initialize a session, the backdoor sends a random four-byte value, labeled
cookie
in the code. Each message has the following structure:
The executable file is written in C++ and contains debugging information, making it easy to identify:
Trojan class with malicious payload
The backdoor supports only four basic commands:
Code
Function name
Description
3, 8, 9
execute_cmdline
Execute shell command
4
write_file
Write file to disk
5
download_file
Send file to server
11
ping
Check victim’s availability
As part of our investigation, we obtained shell commands from the C2 server used to collect the following data about the victim:
- System Integrity Protection (SIP) status;
- System and device information, including:
- Local IP address;
- Information about Bluetooth devices;
- Information about available Wi-Fi networks, available wireless network adapters and the network the device is connected to;
- Hardware specifications;
- Data storage information;
- List of applications;
- User information from WeChat;
- User and organization information from DingTalk;
- Username/website value pairs from Google Password Manager.
Getting data from WeChat
The malware attempts to obtain the victim’s WeChatID, email and phone number from WeChat. This data is stored in plain text in the
userinfo.data
file.
As for DingTalk, attackers are interested in more detailed victim data:
- Name of the organization and department where the user works;
- Username;
- Corporate email address;
- Phone number.
The script tries to get this data from the
orgEmployeeModel
file. If this file is missing, the malware searches for the user’s phone number and email in the
sAlimailLoginEmail
file. If it fails again, it attempts to find the user’s email in one of the DingTalk cache files named
<date>.holmes.mapping
. These files are also not encrypted and store data in plain text.
Getting data from DingTalk
Infrastructure
At the time of the study, four control servers were active and returning malicious commands. In some cases, as mentioned, among the specified IP addresses there were private ones as well. Such samples were likely used to control a victim’s device with a previously infected computer within their local network that was used as a proxy to redirect the connection to the C2 server. Typically, this helps to hide the presence of malware on the network, since only the device with the proxy will communicate with C2.
Some of the detected IP addresses have already been seen in malware attacks targeting Windows devices. Their appearance dates back to 2022, with one of the addresses showing up in HZ Rat attacks of that time.
Almost all of the C2 servers we found are sited in China. The exceptions are two addresses located in the US and the Netherlands.
We also found that the installation package mentioned above, according to VirusTotal, was previously downloaded from a domain belonging to MiHoYo, a Chinese video game developer:
hxxp://vpn.mihoyo[.]com/uploads/OpenVPNConnect.zip.
It is not yet known for sure how this file got to the legitimate domain and whether the company was hacked.
Conclusion
The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active. During the investigation, the malware was only collecting user data, but it could later be used to move laterally across the victim’s network, as suggested by the presence of private IP addresses in some samples. The collected data about victims’ companies and contact information could be used to spy on people of interest and lay the groundwork for future attacks. Also noteworthy is the fact that at the time of the study we had not encountered the use of two of the backdoor commands (write file to disk and send file to server), so the full scope of the attackers’ intentions remains unclear.
Indicators of compromise
MD5 file hashes
Backdoor
0c3201d0743c63075b18023bb8071e73 – Mach-O 64-bit x86_64 executable
6cc838049ece4fcb36386b7a3032171f – Mach-O 64-bit x86_64 executable
6d478c7f94d95981eb4b6508844050a6 – Mach-O 64-bit x86_64 executable
7a66cd84e2d007664a66679e86832202 – Mach-O 64-bit x86_64 executable
7ed3fc831922733d70fb08da7a244224 – Mach-O 64-bit x86_64 executable
9cdb61a758afd9a893add4cef5608914 – Mach-O 64-bit x86_64 executable
287ccbf005667b263e0e8a1ccfb8daec – Mach-O 64-bit x86_64 executable
7005c9c6e2502992017f1ffc8ef8a9b9 – Mach-O 64-bit x86_64 executable
7355e0790c111a59af377babedee9018 – Mach-O 64-bit x86_64 executable
a5af0471e31e5b11fd4d3671501dfc32 – Mach-O 64-bit x86_64 executable
da07b0608195a2d5481ad6de3cc6f195 – Mach-O 64-bit x86_64 executable
dd71b279a0bf618bbe9bb5d934ce9caa – Mach-O 64-bit x86_64 executable
Malicious installation package
8d33f667ca135a88f5bf77a0fab209d4 – Apple software package
C2 IP addresses
111.21.246[.]147
123.232.31[.]206
120.53.133[.]226
218.193.83[.]70
29.40.48[.]21
47.100.65[.]182
58.49.21[.]113
113.125.92[.]32
218.65.110[.]180
20.60.250[.]230
Source:: Securelist