New Stealthy "RustDoor" Backdoor Targeting Apple macOS Devices



Since November 2023, a new backdoor targeting Apple macOS users, named RustDoor by Bitdefender, has been operating discreetly. This Rust-based malware disguises itself as a Microsoft Visual Studio update and is capable of affecting both Intel and Arm architectures.

Although the initial access pathway remains unknown, the malware is distributed as FAT binaries containing Mach-O files. The existence of multiple variants with minor modifications suggests ongoing development, with the earliest sample dating back to November 2, 2023.

RustDoor boasts an array of commands enabling file gathering, uploading, and information harvesting from compromised endpoints. Some versions include configurations specifying the data to collect, targeted file extensions and directories, as well as directories to exclude. The exfiltration of captured information occurs through a command-and-control (C2) server.

Bitdefender, the Romanian cybersecurity firm, suggests a potential link between RustDoor and prominent ransomware families like Black Basta and BlackCat due to shared characteristics in C2 infrastructure.

Security researcher Andrei Lapusneau notes that ALPHV/BlackCat, a ransomware family also written in Rust, emerged in November 2021 and introduced the public leaks business model. In December 2023, the U.S. government announced the takedown of the BlackCat ransomware operation, providing a decryption tool for over 500 victims affected by the malware to regain access to their locked files.

Other news

Zoom Adopts NIST-Approved Post-Quantum End-to-End Encryption for Meetings

Zoom, a popular enterprise services provider, has announced the rollout of post-quantum end-to-end encryption (E2EE) for Zoom Meetings, with support for Zoom Phone and Zoom Rooms expected in the future.

Read More

Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor

The Iranian-origin threat group known as Charming Kitten has been linked to a series of new attacks targeting Middle East policy experts. These attacks involve the use of a new backdoor named BASICSTAR, deployed through a fake webinar portal.

Read More