New Stealthy "RustDoor" Backdoor Targeting Apple macOS Devices

13.02.2024

Since November 2023, a new backdoor targeting Apple macOS users, named RustDoor by Bitdefender, has been operating discreetly. This Rust-based malware disguises itself as a Microsoft Visual Studio update and is capable of affecting both Intel and Arm architectures.

Although the initial access pathway remains unknown, the malware is distributed as FAT binaries containing Mach-O files. The existence of multiple variants with minor modifications suggests ongoing development, with the earliest sample dating back to November 2, 2023.

RustDoor boasts an array of commands enabling file gathering, uploading, and information harvesting from compromised endpoints. Some versions include configurations specifying the data to collect, targeted file extensions and directories, as well as directories to exclude. The exfiltration of captured information occurs through a command-and-control (C2) server.

Bitdefender, the Romanian cybersecurity firm, suggests a potential link between RustDoor and prominent ransomware families like Black Basta and BlackCat due to shared characteristics in C2 infrastructure.

Security researcher Andrei Lapusneau notes that ALPHV/BlackCat, a ransomware family also written in Rust, emerged in November 2021 and introduced the public leaks business model. In December 2023, the U.S. government announced the takedown of the BlackCat ransomware operation, providing a decryption tool for over 500 victims affected by the malware to regain access to their locked files.