RustDoor (macOS) and GateDoor (Windows) are a cross‑platform pair of malware disguised as legitimate updates or utilities, with RustDoor acting as a backdoor and GateDoor as a loader. They share overlapping C2 infrastructure linked to ShadowSyndicate, and employ techniques like DLL search order hijacking and legitimate‑looking distribution to load and execute payloads across macOS and Windows.
#RustDoor #ShadowSyndicate
#RustDoor #ShadowSyndicate
Keypoints
- RustDoor (macOS) and GateDoor (Windows) were developed for cross‑platform deployment, with Rust used on macOS and Go used on Windows.
- RustDoor and GateDoor are distributed as normal updates or utilities (e.g., VisualStudioUpdater, ChromeUpdates) to evade detection.
- GateDoor on Windows was delivered via WebViewHost with DLL Search Order Hijacking to load a malicious DLL and drop GateDoor.
- Both threats communicate with a C2 server, using shared endpoints and infrastructure tied to a ShadowSyndicate ecosystem.
- RustDoor focuses on backdoor functionality; GateDoor functions as a loader and supports loader/command execution capabilities.
- The deployment infrastructure includes domains, IPs, and hosting across several countries, suggesting a RaaS‑style operation with ShadowSyndicate links.
- Early‑stage development with low obfuscation; ongoing expansion of features and infrastructure is expected.
MITRE Techniques
- [T1036] Masquerading – RustDoor and GateDoor are disguised as legitimate update programs (e.g., VisualStudioUpdater, ChromeUpdates). “RustDoor is disguised as a normal update program, as it is distributed under file names such as VisualStudioUpdater and ChromeUpdates.”
- [T1547.001] Boot or Logon Autostart Execution – macOS persistence via a Launch Agents plist in /Library/LaunchAgents to keep RustDoor active. “registers malware in the macOS startup program by creating a new plist in the /Library/LaunchAgents path to maintain persistence.”
- [T1574.001] DLL Search Order Hijacking – GateDoor on Windows loads a malicious DLL via DLL Search Order Hijacking when WebViewHost.exe runs. “using the DLL Search Order Hijacking(T1574.001) technique to load a malicious DLL that downloads GateDoor.”
- [T1105] Ingress Tool Transfer – GateDoor/GateDoor downloader is loaded and downloads the malware from an external server. “the DLL file downloads and executes the GateDoor malware from an external server.”
- [T1588.004] Acquire Digital Certificates – GateDoor components signed with a valid certificate to appear legitimate. “GateDoor MSI file, GateDoor Downloader, and GateDoor malware signed with a valid certificate.”
- [T1071.001] Web Protocols – C2 communications occur over Web protocols (HTTP/S) to exchange data with the C2 server. “The C2 server delivers data… to RustDoor, which uses HTTP POST and other Web Protocols.”
- [T1027] Obfuscated/Compressed Files and Information – GateDoor config values are XOR‑encrypted to conceal settings. “The GateDoor Downloader contains the following config values, and these values are encrypted with a specific XOR key value (”nfmMoPCj“).”
Indicators of Compromise
- [File Hash] context – 8aad26c42b61e34c7fa67b4b1937cd391662f2176e350d01c57efcd6c660ba40, 93e5e5199b1af664c5cdd8bdc64ae9c04b0f6600d22612368c4239af79d0c81f, and 4 more hashes
- [SHA256] context – 9dd66e5692e496c9cfcc647edf593c323404424cad61276725efb934b64b96e9
- [IP Address] context – 193.29.13.152, 88.214.26.22, and 2 more IPs
- [Domain] context – trendfilesalgol.com, maconlineoffice.com, and 6 more domains
- [File Name] context – VisualStudioUpdater, ChromeUpdates, edging.zip, BinMS.msi, Jobinfo.app.zip, Previewers, and 1 more file name
- [File Path/Registry] context – C:Users[Username]AppDataRoamingMicrosoftEdging, HKEY_CURRENT_USERActivateS sub registry key value (MicrosoftEdging)
- [Certificate] context – GateDoor and its downloader signed with a valid certificate