Full Report
UPDATE: Following our initial release, we have been contacted by our fellow researchers at Jamf who were able to identify three more samples that act like first-stage payloads. They are responsible for downloading the backdoor: * e7cab6f2be47940bf36e279bbec54ec7 - Jobinfo.app.zip * 26d6a7e3507edf9953684d367dcd44bd - Jobinfo.zip * 775851f86cbde630808ff6d2cf8cedbf - Jobinfo.zip Combined with information in our previous research, the investigation of these samples revealed new components of t
Analysis Summary
This summary consolidates information regarding two distinct sets of macOS malware observed in the provided context: a newly discovered Rust-based backdoor, and components related to an older, financially motivated campaign targeting cryptocurrency entities.
# Tool/Technique: Undocumented Rust-based macOS Backdoor (Trojan.MAC.RustDoor.*)
## Overview
A previously undocumented family of malware discovered targeting macOS users, written in Rust. It appears to be distributed impersonating a Visual Studio update.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: macOS (x86_64 Intel and ARM architectures via FAT binaries)
- Capabilities: Establishing persistence, environment discovery, and communication with C2 infrastructure.
- First Seen: As early as November 2023, with the freshest sample spotted on February 2nd, 2024.
## MITRE ATT&CK Mapping
*Not explicitly mapped in the source text, general application:*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
## Functionality
### Core Capabilities
- Distribution as FAT binaries (`Mach-O` files) supporting multiple architectures.
- Source code written in Rust.
- Variants (Zero, 1, 2) share core functionalities with minor variations.
- Disguised as legitimate software updates (e.g., Visual Studio updates).
### Advanced Features
- Uses system utilities for extensive environment discovery (e.g., `system_profiler`, `networksetup`, `diskutil`, `sysctl -a`).
- Implements C2 communication via specific endpoints (`maconlineoffice.com`, `serviceicloud.com`, etc.).
## Indicators of Compromise
- File Hashes:
- `6dd391d44fe1d34446fe1a5c7cdf39754`, `90a517d3dab8ceccf5f1a4c0f4932b1f`, `b67bba781e5cf006bd170a0850a9f2d0`, `f5774aca722e0624daf67a2da5ec6967`, `52a9d67745f153465fac434546007d3a`, `30b27b765878385161ca1ee71726a5c6`, `1dbc26447c1eaa9076e65285c92f7859`, `05a8583f36599b5bc93fa3c349e89434`, `5d0c62da036bbe375cb10659de1929e3`, `68e0facbf541a2c014301346682ef9ca`, `b2bdd1d32983c35b3b1520d83d89d197`, `5fcc12eaba8185f9d0ddecafae8fd2d1` (and many others listed).
- File Names: `zshrc2`, `Previewers`, `VisualStudioUpdater`, `VisualStudioUpdater_Patch`, `VisualStudioUpdating`, `visualstudioupdate`, `DO_NOT_RUN_ChromeUpdates`.
- Network Indicators:
- Download Domains: `sarkerrentacars.com` (defanged), `turkishfurniture.blog` (defanged), `linksammosupply.com` (defanged).
- C&C URLs: `maconlineoffice.com` (defanged), `serviceicloud.com` (defanged).
- C&C IPs: `193.29.13.167`, `88.214.26.22`.
## Associated Threat Actors
- Undocumented/New actor targeting macOS.
## Detection Methods
- Signature-based detection (`Trojan.MAC.RustDoor.*`).
- Detection based on file structure (FAT binaries specific to this campaign).
- Detection of external file execution from application bundles/impersonated updates.
## Mitigation Strategies
- Implement strict application whitelisting policies, especially regarding unknown binaries masquerading as system updates.
- Monitor for execution of binaries matching the observed hashes or file names.
## Related Tools/Techniques
- N/A (This is the newly discovered malware family itself).
***
# Tool/Technique: Golang Environment Discovery Binaries (DataCollector, psaux, erp_soft)
## Overview
Four new $\text{Go}$-based $\text{Mach-O}$ binaries identified as part of an attack chain that previously involved shell/Apple scripts downloading a main backdoor component. These binaries focus on detailed environment discovery and communicate with specific C2 infrastructure.
## Technical Details
- Type: Malware component/Tool (Golang binaries)
- Platform: macOS
- Capabilities: Information gathering about system configuration, software, hardware, and active network services.
- First Seen: Post initial reporting, implying they are part of the main backdoor's follow-up activity.
## MITRE ATT&CK Mapping
- TA0009 - Collection
- T1082 - System Information Discovery
- T1119 - Automated Collection
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Execution functions: `main.execCommand` and `main.sendDataToServer`.
- Gathers system details using built-in macOS utilities:
- Software and Hardware Data (`system_profiler SPSoftwareDataType SPHardwareDataType`).
- Network Service/Port Information (`networksetup -listallnetworkservices`, `networksetup -listallhardwareports`).
- Executes commands like `launchctl list` to find persistence mechanisms (LaunchAgents/LaunchDaemons).
- Retrieves disk details (`diskutil list`).
- Collects numerous kernel parameters (`sysctl -a`).
### Advanced Features
- Written in Go, reportedly undetected on VirusTotal at discovery time.
- Communicates with the domain `sarkerrentacars.com` (defanged).
## Indicators of Compromise
- File Hashes (GO binaries):
- `a91f92bb993fad6ccbd3fd4bb953f963`
- `abdfe38311b621f54511b2afa434266e`
- `95a42a8c422c333c60467460479c66ba`
- `08ae923c3c6b7e94b61402ae8c0c396b`
- File Names: `DataCollector`, `psaux`, `erp_soft`.
- Network Indicators: Connection established to `sarkerrentacars.com` (defanged).
## Associated Threat Actors
- The actor(s) responsible for the initial fake job offering campaign, later revealed to be targeting cryptocurrency companies.
## Detection Methods
- Detection of the specific $\text{SHA256}$ hashes listed above.
- Monitoring for the execution of specific macOS system utilities (`system_profiler`, `networksetup`, `sysctl`) initiated by anomalous processes.
- Network monitoring for connections to `sarkerrentacars.com` (defanged).
## Mitigation Strategies
- Restrict execution of unknown binaries, especially those masquerading as system files or updates.
- Utilize Endpoint Detection and Response (EDR) to monitor command-line arguments used with system utilities for unusual combinations or targets.
## Related Tools/Techniques
- Related to the initial payload downloaders associated with the fake job offering campaign.
***
# Tool/Technique: Initial Stage Payloads (Jobinfo App Bundles)
## Overview
ZIP archives acting as first-stage payloads, disguised as job information, responsible for downloading the main backdoor component. These samples appear to predate the Rust-based malware but share distribution infrastructure (e.g., C2 domains).
## Technical Details
- Type: Dropper/Downloader (Application Bundles/ZIP Archives)
- Platform: macOS
- Capabilities: Downloading and executing the subsequent backdoor component, providing a decoy PDF.
- First Seen: Initially released around October 13, 2023.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1204 - User Execution
- TA0005 - Defense Evasion
- T1036 - Masquerading
## Functionality
### Core Capabilities
- Distribution via ZIP archives (`Jobinfo.app.zip`, `Jobinfo.zip`).
- Contains a downloader script (Shell script or Compiled Apple Script) to fetch the main backdoor.
- Downloads a decoy PDF file acting as a confidentiality agreement to distract the user.
- One variant uses a FAT binary signed with developer ID `X43S7HF655` to launch scripts (`main.scpt`, `CocoaAppletAppDelegate.scpt`).
### Advanced Features
- Utilizes both shell scripts and compiled AppleScripts for initial execution chains.
## Indicators of Compromise
- File Hashes (Application Bundles):
- `e7cab6f2be47940bf36e279bbec54ec7` (`Jobinfo.app.zip`)
- `26d6a7e3507edf9953684d367dcd44bd` (`Jobinfo.zip`)
- `775851f86cbde630808ff6d2cf8cedbf` (`Jobinfo.zip`)
- Download Script Hashes:
- Shell Script: `784d3a3a51ff811b4035ac72a9122ed3`
- Compiled Apple Script: `3fe70007c81f6938d872f0acdc7703ff`
- Network Indicators: Utilized previous C2 infrastructure, including communication with `sarkerrentacars.com` (defanged).
## Associated Threat Actors
- The actor targeting cryptocurrency entities during the initial operational period (Oct 2023).
## Detection Methods
- Signature detection of the downloader scripts identified by hashes.
- Monitoring for the extraction and execution of scripts from ZIP archives containing application bundles named "Jobinfo".
## Mitigation Strategies
- Caution when opening unrecognized job application materials.
- Disable execution of downloaded/untrusted scripts by default.
## Related Tools/Techniques
- Precursor to the Golang environment discovery binaries and potentially the Rust backdoor depending on the timeline integration.
***
# Tool/Technique: Command and Control (C2) Infrastructure Access Points
## Overview
Specific endpoints discovered on one of the C2 servers used by the attackers, indicating ways they manage bots and retrieve operational data.
## Technical Details
- Type: Infrastructure/Procedure
- Platform: Server-side (HTTP/Web)
- Capabilities: Bot management, task management, and documentation retrieval.
- First Seen: Discovered during subsequent investigation following initial reporting.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/HTTPS)
## Functionality
### Core Capabilities
- `GET /client/bots`: Used to query and view details of all currently infected victims (bots).
- `GET /tasks/result/{id}`: Used to retrieve the output or results of previously executed tasks.
- `POST /tasks/create`: Used to issue new commands or tasks to the infected bots.
### Advanced Features
- `GET /redoc`: Provides short documentation of the available (exposed) C2 endpoints via a brief web interface.
## Indicators of Compromise
- Network Indicators: N/A (These are endpoints, not external host indicators, but they run on C2 servers previously identified, such as `maconlineoffice.com` or `serviceicloud.com`).
## Associated Threat Actors
- Actors operating the observed infrastructure.
## Detection Methods
- Monitoring web server logs for unusual requests to these specific path patterns on known C2 domains or IPs.
## Mitigation Strategies
- Blocking access to the overall C2 domains/IPs listed in the source material (e.g., `maconlineoffice.com`, `serviceicloud.com`, `193.29.13.167`, `88.214.26.22`).
## Related Tools/Techniques
- Essential for maintaining persistence and achieving the objective of the Rust-based backdoor or the earlier payload chain.