New MacOS Malware Let Attackers Control The Device Remotely

A remote access trojan (RAT), HZ RAT, that has been attacking Windows-based devices since at least 2020, was recently upgraded and changed to target Mac users as well. 

Typically, a RAT is a type of malware that an attacker employs to take remote control of a target computer and obtain full administrator capabilities. 

RATs are frequently delivered to their target as an email attachment through phishing emails, or they are downloaded together with applications that appear to be legitimate user requests, like video games. 

On September 5, Intego stated that a new version of HZ RAT, designed to attack macOS environments, had been released in the wild.

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free

According to prior reports on HZ RAT, China is the origin host of malware, even though Intego does not disclose attribution information. 

HZ RAT, a recent addition to the Mac malware family, is a tool that grants an attacker complete remote administration access. This RAT first surfaced on Windows PCs in 2022, and it has now made its way to the Mac.

Behavior Of The macOS Malware HZ RAT

As stated in the Moonlock report, HZ RAT can spy on users and steal data, but it’s not a legitimate stealer because of its ingenuity and persistence. As a remote access trojan, the malware grants the attacker full remote administrator capabilities. 

“The malware can take screenshots, record what a user types, steal data from Google Password Manager, and go after user data to breach their WeChat and DingTalk — both of which are popular Mac apps in China”, reads the report.

After installation of the malware, it establishes a connection with a command-and-control server to obtain more instructions. 

This implies that the attacker has the ability to upload and extract files to their server, write arbitrary files to the system, and execute PowerShell scripts and commands from remote locations. 

It’s believed that watering hole-style attacks, fraudulent malicious Google Ads, and website impersonation could be used to spread the new Mac malware.

From a compromised Mac, the malware can collect the following information: 

• Local IP address
• Bluetooth devices data
• Wi-Fi networks and wireless network adapters data
• Information about the network the device is connected to
• Hardware specs
• Data storage info
• List of apps in the breached device
• Information from WeChat
• User and organization data from DingTalk
• Username and websites from Google Password Manager

While the malware does not harvest passwords from Google Password Manager, it is suspected that actors are leveraging stolen password leaks obtained on the dark web to combine with the username and other data extracted by the malware.  

The true purpose of this initiative is unknown, other than data collection. Even more concerning is that security providers have not been able to detect this ransomware.

Furthermore, Intego discovered a malware sample that mimicked the OpenVPN Connect VPN app. The analysis of the secure List reveals that this malware is posing as OpenVPN Connect. 

A 2022 examination of the Windows version of this malware also discovered multiple Chinese IP addresses and domains associated with this malware operation.

About 80% of the IPs on the list were discovered to be active but unreachable, with the remaining 20% being inactive.

Recommendation

To safeguard your Mac against these and other risks, download software only from reliable sources, such as the Apple App Store. Update your operating system and security software, and be vigilant of suspicious communications, links, or attachments.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial