Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

MacOS users of some of the biggest chat apps around are being hit with new malware scam

Two cybercriminals escape with stolen login credentials.

Chinese macOS users who utilize the DingTalk and WeChat apps to communicate with others are being targeted with new infostealing malware, experts have warned.

Cybersecurity researchers at Kaspersky analyzed a new malware sample, recently uploaded to VirusTotal, to discover hackers have taken a known infostealer called HZ RAT, and repurposed it for macOS.

HZ RAT has been around for almost half a decade (since 2020), but was first identified by the German cybersecurity outlet DCSO in late 2022. For an infostealer, HZ RAT is relatively rudimentary and unsophisticated. It can connect to a command & control (C2) server, execute PowerShell commands and scripts, write arbitrary files to the target system, upload files, and send system information.

Chinese C2 servers

The Hacker News claims that given its limited functionality, HZ RAT is probably used for credential harvesting and system reconnaissance.

Now, someone took it and made an identical copy, just for macOS. “The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky said.

Another aspect where Windows and macOS versions are similar is how they end up on the target endpoint to begin with. While Windows variants impersonated legitimate software such as OpenVPN, PuTTYgen, or EasyConnect, macOS versions so far impersonate the OpenVPN Connect client.

The files grabbed with HZ RAT differ, depending on the chat app in use, Kaspersky further explained: “The malware attempts to obtain the victim's WeChatID, email, and phone number from WeChat," they said. "As for DingTalk, attackers are interested in more detailed victim data: Name of the organization and department where the user works, username, corporate email address, [and] phone number."

While the identity of the attackers is unknown, the researchers managed to determine where the C2 infrastructure is located. The majority of the servers are based in China, with two found in the US and the Netherlands.

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.