A macOS variant of the HZ Rat backdoor targeting DingTalk and WeChat was uncovered in June 2024, mirroring its Windows counterpart while delivering payloads via shell scripts. The malware communicates with C2 servers (primarily in China), harvests user and device data, and shows signs of lateral movement within infected networks. #HZ_Rat #DingTalk #WeChat #macOS #OpenVPNConnect #MiHoYo #C2
Keypoints
- Discovery of a macOS version of HZ Rat targeting DingTalk and WeChat.
- Functionality closely resembles the Windows version, with payload delivery via shell scripts instead of PowerShell.
- Installation uses a wrapper named OpenVPNConnect.pkg; the Info.plist selects which component to run.
- Backdoor supports commands to execute shell commands, write files, download files, and ping the victim.
- Data collected includes WeChat and DingTalk user data, system/hardware details, and network information.
- Infrastructure includes several C2 servers (mostly in China) with some private IPs used for potential lateral movement.
MITRE Techniques
- [T1071] Command and Control β Backdoor establishes a connection to C2 servers and encrypts communications using XOR with 0x42 (βAll communication with C2 is encrypted using XOR with the key 0x42.β)
- [T1119] Data Collection β Collects user data from applications like WeChat and DingTalk (βThe malware attempts to obtain the victimβs WeChatID, email and phone number from WeChat.β)
- [T1203] Execution β Executes shell commands via backdoor commands (βExecuting shell commands via backdoor commands.β)
- [T1003] Credential Dumping β Attempts to extract user credentials from applications (βAttempting to extract user credentials from applications.β)
- [T1041] Exfiltration Over Command and Control Channel β Sends collected data back to C2 servers (βSending collected data back to C2 servers.β)
Indicators of Compromise
- [MD5 file hashes] Backdoor and installation package β 0c3201d0743c63075b18023bb8071e73, 6cc838049ece4fcb36386b7a3032171f, and 10 more hashes
- [C2 IP addresses] β 111.21.246.147, 123.232.31.206, and 8 more IPs
- [Domain] vpn.mihoyo.com β hosted the malicious installation package OpenVPNConnect.zip
- [File name] OpenVPNConnect.pkg β malicious installation package
- [File name] OpenVPNConnect.zip β hosted package file
- [Files/Paths] β orgEmployeeModel, sAlimailLoginEmail, .holmes.mapping, userinfo.data β data sources used to extract victim information
Read more: https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/