Users of Apple macOS are the target of a recently discovered Rust-based backdoor that has been hidden since November 2023.
It has been discovered that the backdoor, which Bitdefender has given the codename RustDoor, pretends to be an upgrade for Microsoft Visual Studio and targets both Intel and Arm architectures.
The precise initial access method that was utilized in the propagation of the implant is not known at this time; however, it is claimed to be disseminated as FAT binaries that contain Mach-O files.
Several varieties of the malware, each with very small modifications, have been discovered up to this point, which most likely indicates that it is still actively being developed. A sample of RustDoor was created on November 2, 2023, making it the oldest sample ever.
It comes with a wide variety of instructions that enable it to collect and upload files, as well as harvest information about the endpoint that has been compromised that has been compromised.
Additionally, certain versions provide options that give specifics regarding the data that should be collected, the list of extensions and directories that should be targeted, and the directories that should be excluded.
The information that has been acquired is then transferred to a command-and-control server, also known as a C2 server.
The cybersecurity company from Romania stated that the malware is most likely connected to well-known ransomware families such as Black Basta and BlackCat due to the fact that there are overlaps in the C2 architecture.
According to security researcher Andrei Lapusneau, “ALPHV/BlackCat is a ransomware family that appeared for the first time in November 2021 and that has pioneered the public leaks business model.” The ransomware family is also coded in Rust.
The government of the United States made an announcement in December 2023 that it had shut down the BlackCat ransomware operation and issued a decryption tool. This tool allows more than 500 victims who were impacted by the infection to restore access to files that were locked by the malware.