Cyber Security News

New Malware Mimic as Visual Studio Update to Attack macOS users

A new backdoor written in Rust has been discovered to target macOS users with several interesting features. Moreover, there have been 3 variants of backdoor found masquerading under the name of Visual Studio Update.

The backdoor is distributed as FAT binaries with Mach-O files for x84_64 Intel and ARM architectures. In addition to this, the backdoor dates back to early November 2023, with the latest sample being found on Feb 2nd, 2024. 

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Malware Mimic as Visual Studio Update

Bitdefender said that , most of the samples have the same core functionalities with little variations. A list of identified samples is as follows:

  • zshrc2
  • Previewers
  • VisualStudioUpdater
  • VisualStudioUpdater_Patch
  • VisualStudioUpdating
  • visual studio update
  • DO_NOT_RUN_ChromeUpdates

All of the variants support the following commands

  • ps
  • shell
  • cd
  • mkdir
  • rm
  • rmdir
  • sleep
  • upload
  • botkill
  • dialog
  • taskkill
  • download

Variant 1

This was found to be a test version of the backdoor identified by the plist file (test.plist). However, the embedded plist file was found to be copy-pasted from a public writeup that describes the mechanisms and sandbox evasion techniques for macOS.

Variant 1 source files (Source: Bitdefender)
.plist file created for persistence (Source: Bitdefender)

Variant 2

The number of files in this second variant has several large files containing a complex JSON configuration along with an embedded Apple Script for extracting the data. This Apple script had been found with several variants, all of them meant for data exfiltration purposes.

Variant 1 source files (Source: Bitdefender)

Moreover, the configuration options contain a list of applications to be impersonated to spoof the administrator password with a dialog box.

Variant zero

This was the oldest version that first appeared on November 11, 2023. Since this was the earliest version of the backdoor, it lacks the Apple script and embedded configurations.

Bitdefender has published a comprehensive report on a backdoor that has been traced back to the BlackBasta and (ALPHV/BlackCat) ransomware operators. The report contains in-depth information on the backdoor’s various variants, samples, source code, and other relevant details.

Indicators of Compromise

Binaries

  • 6dd3a3e4951d34446fe1a5c7cdf39754 (VisualStudioUpdater_Patch)
  • 90a517c3dab8ceccf5f1a4c0f4932b1f (VisualStudioUpdater_Patch)
  • b67bba781e5cf006bd170a0850a9f2d0 (VisualStudioUpdating)
  • f5774aca722e0624daf67a2da5ec6967 (VisualStudioUpdater_Patch)
  • 52a9d67745f153465fac434546007d3a (Previewers)
  • 30b27b765878385161ca1ee71726a5c6 (DO_NOT_RUN_ChromeUpdates)
  • 1dbc26447c1eaa9076e65285c92f7859 (visualstudioupdate)
  • 05a8583f36599b5bc93fa3c349e89434 (VisualStudioUpdater)
  • 5d0c62da036bbe375cb10659de1929e3 (VisualStudioUpdater)
  • 68e0facbf541a2c014301346682ef9ca (VisualStudioUpdater)
  • b2bdd1d32983c35b3b1520d83d89d197 (zshrc2)
  • 5fcc12eaba8185f9d0ddecafae8fd2d1 (zshrc2)
  • 97cd4fc94c59121f903f2081df1c9981
  • 28bdd46d8609512f95f1f1b93c79d277
  • 3e23308d074d8bd4ffdb5e21e3aa8f22
  • 088779125434ad77f846731af2ed6781
  • b67f6e534d5cca654813bd9e94a125b9
  • cf54cba05efee9e389e090b3fd63f89b
  • 44fcf7253bcf0102811e50a4810c4e41
  • 690a097b0eea384b02e013c1c0410189
  • 186be45570f13f94b8de82c98eaa8f4f
  • 3c780bcfb37a1dfae5b29a9e7784cbf5
  • 925239817d59672f61b8332f690c6dd6
  • 9c6b7f388abec945120d95d892314ea7
  • 85cd1afbc026ffdfe4cd3eec038c3185
  • 6aaba581bcef3ac97ea98ece724b9092
  • bcbbf7a5f7ccff1932922ae73f6c65b7
  • bde0e001229884404529773b68bb3da0
  • 795f0c68528519ea292f3eb1bd8c632e
  • bc394c859fc379900f5648441b33e5fd
  • 0fe0212fc5dc82bd7b9a8b5d5b338d22
  • 835ebf367e769eeaaef78ac5743a47ca
  • bdd4972e570e069471a4721d76bb5efb

Download domains

  • https[:]//sarkerrentacars[.]com/zshrc
  • https[:]//turkishfurniture[.]blog/Previewers
  • http[:]//linksammosupply[.]com/zshrc2
  • http[:]//linksammosupply[.]com/VisualStudioUpdaterLs2
  • http[:]//linksammosupply[.]com/VisualStudioUpdater

C&C URLs

  • maconlineoffice[.]com
  • 193.29.13[.]167
  • 88.214.26[.]22
  • https://serviceicloud[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.

Recent Posts

15 Best Enterprise Risk Management Tools 2024

Enterprise Risk Management (ERM) tools help organizations identify, assess, manage, and monitor risks across their…

1 hour ago

UEFIcanhazbufferoverflow Flaw In Intel Processors Impacts 100s of PCs & Servers

The Phoenix SecureCore UEFI firmware has discovered a new vulnerability, which runs on several Intel…

17 hours ago

New Linux Variant Of RansomHub Attacking ESXi Systems

Hackers often attack ESXi systems, as they are widely used in enterprise environments to manage…

18 hours ago

Over 50% of US Car Dealers Are Shut Down Following CDK Hack Attack

A cyberattack on CDK Global, a major provider of automotive dealership software solutions, has caused…

19 hours ago

Hackers Published Sensitive Data Stolen From London Hospitals

A cyber-attack on London hospitals resulted in the publication of sensitive data stolen from Synnovis,…

21 hours ago

Hackers Employing FB Infrastructure to Steal Your Account Passwords

Cybercriminals in password theft are constantly developing new ways to deliver phishing emails. They’ve learned…

21 hours ago