They identify a new ‘malware’ in MacOS capable of stealing files by posing as a Visual Studio update

MADRID, Feb 12. (Portaltic/EP) –

A group of researchers has identified a new ‘malware’ targeting users with MacOS computers, able to steal files through a backdoor which is distributed posing as a Microsoft Visual Studio code program update.

This has been detailed by a group of researchers from the cybersecurity company bitdefender, who assure that it is a new backdoor that belongs to a ‘previously undocumented’ malware family and that shows a possible link to a group of Windows ‘ransomware’.

In this framework, as detailed in a statement on their website, this back door, which they refer to as Trojan.MAC.RustDooris aimed at the macOS users and written in Rusta “relatively new” programming language in the ‘malware’ ecosystem that offers cybercriminals advantages when it comes to evading attack detection and analysis.

Specifically, as they have been able to verify, ‘malware’ can be used to steal specific files or file typesas well as for archive them and upload them to the command and control center (C&C)so that malicious actors can access them.

Furthermore, according to the researchers, it is a campaign that has been active since at least November of last year. The last ‘malware’ sample found is dated the 2nd of this month, which indicates that “has been running undetected for at least three months.”

Thus, in order to distribute itself, this ‘malware’ spoofs an update to Microsoft’s Visual Studio program. In fact, some identified samples have names such as ‘VisualStudioUpdater’, ‘VisualStudioUpdater_Patch’, ‘VisualStudioUpdating’ and ‘visualstudioupdate’. However, other samples of this ‘malware’ have also been found with the name ‘DO_NOT_RUN_ChromeUpdates’ or ‘zshrc2’.

Likewise, all files are displayed as Binary FATthat is, they can run on multiple types of processorsin this case, for architectures based on Intel (x86_64) and ARM (Apple Silicon).

Within the different versions that researchers have been identifying in the campaign of this ‘malware’, commands such as ‘shell’, ‘cd’, ‘sleep’, ‘upload’, ‘taskkill’ or ‘dialog’ have been found, with which cybercriminals can collect and upload files, as well as obtain information about the device itself in which it is being carried out.

As they have explained, specifically, the ‘sysctl’ command along with the ‘pwd’ and ‘hostname’ commands send to command and control infrastructure server registration endpoint -that is, servers that control the information, centralize it and carry out the necessary actions- a Victim ID filewhich is subsequently used in “the rest of the communication between C&C and the backdoor.”

With all this, Bitdefender has indicated that, for the moment, this ‘malware’ campaign cannot be attributed to any known threat actor. However, they have observed similarities with the ALPHV/BlackCat ‘ransomware’which also uses the Rust programming language and “common domains” such as command and control infrastructure servers.

In fact, they have pointed out that three of the four command and control servers used in this ‘malware’they have associated with previous ‘ransomware’ campaigns targeting Windows customers.

Related articles

When are they getting married? Victoria Patiño, former participant of MasterChef Ecuador, gave...

By Ruth UzcateguiFebruary 22, 2024 at 1:27 p.m.Wind in their sails, Victoria Patiño and Santiago Barzallo have everything on track to give themselves...

Colombian in the US showed the jobs with which she earns extra in a...

A young Colombian woman residing in the United States He shared a video through his social media account in which he details a series...

Residents of La Paragua denounced that rescue in the “Bulla Loca” mine is ineffective

The collapse of the “Bulla Loca” mine in the state of Bolívar was recorded on Tuesday, February 20, leaving, according to official figures, 16...

IMF Mission in Argentina: Gita Gopinath meets with Milei and the CGT

The First Deputy Managing Director of the International Monetary Fund, Gita Gopinath, will close his first trip to Argentina this Thursday but has a...