RustDoor: Backdoor affecting macOS devices

Apple macOS users are the target of a new Rust-based backdoor that has been active under the radar since November 2023; this backdoor was called col code name “RustDoor” from Bitdefender, and has been caught posing as an update for Microsoft Visual Studio and targeting Intel and Arm architectures.

What we know about the RustDoor backdoor

Currently the exact initial access path used to propagate the implant is unknownalthough it is said to be distributed as FAT binaries that contain Mach-O files.

Several variants of the malware with minor modifications have been detected to date, likely indicating active development; the oldest sample of the RustDoor backdoor dates back to November 2, 2023.

It comes with a wide range of commands that allow it to collect and upload files, as well as collect information about the compromised endpoint.

Some versions also include configurations with details on what data to collect, the list of target extensions and directories and the directories to exclude and the acquired information is then exfiltrated to a command and control server (C2).

The Romanian cybersecurity company stated that the malware is likely linked to prominent ransomware families such as Black Enough And BlackCat due to overlaps in the C2 (command and control) infrastructure.

“ALPHV/BlackCat is a ransomware family (also written in Rust), which first appeared in November 2021 and introduced the public leak business model” said security researcher Andrei Lapusneau.

In December 2023, the US government has announced to have taken down the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to restore access to files blocked by malware.

Cases similar to RustDoor

This is not the first time that operating system users have been targeted by sophisticated backdoors similar to Rustdoor; other similar cases include attacks against Windows platforms and Linux, where advanced malware exploited vulnerabilities in the operating system to gain unauthorized access.

Cyber ​​threats are becoming increasingly complex and targeted, highlighting the importance of keeping security and software up-to-date adopt safe browsing practices.

Some well-known cases similar to RustDoor include:

• Stuxnet (2010): Stuxnet is a computer worm known for attacking Supervisory Control and Data Acquisition (SCADA) systems used in nuclear power plants and it spread through USB devices and exploited vulnerabilities in industrial control software.
• WannaCry (2017): WannaCry is a ransomware that has affected Windows systems around the world, exploiting a vulnerability known as EternalBlue and it caused significant damage and highlighted the importance of keeping operating systems up to date.
• NotPetya (2017): Originally disguised as ransomware, NotPetya turned out to be more of a disruptive attack, causing considerable damage to businesses and infrastructure in Ukraine and beyond and it spread by exploiting various vulnerabilities.
• SolarWinds (2020): A sophisticated supply chain attack that compromised SolarWinds network management software; This attack affected numerous government agencies and businesses, demonstrating the effectiveness of threats that infiltrate through trusted vendors.
• Ryuk (2019): Ryuk is a ransomware known to specifically target organizations and businesses, demanding high ransoms; It often spreads through phishing and exploits weaknesses in cybersecurity.

What to do in similar cases

If you suspect malicious activity or a security compromise, it is essential to take immediate action; Users should isolate the infected device from the network and stop using sensitive credentials on other devices.

It is advisable to immediately contact a cybersecurity expert or specialized company to conduct a detailed analysis and remove the threat; at the same time, inform the relevant authorities and carefully monitor financial transactions to detect any suspicious activity.

Furthermore, adopting good security practices, such as regularly installing system updates, using reliable antivirus software and being cautious when opening attachments or clicking on suspicious links, can significantly reduce the risk of falling victim to such cyber threats and remember that Malwarebytes, since we are talking about ma
cOS, also exists on Macs.