macOS Backdoor “HZ Rat” Targets Users of DingTalk and WeChat
Kaspersky Labs has uncovered a new macOS backdoor malware called “HZ Rat” that is specifically targeting users of popular Chinese communication platforms, DingTalk and WeChat. This marks a significant expansion of the malware’s reach, which was previously known to attack only Windows systems.
The macOS version of HZ Rat mimics its Windows counterpart in functionality, employing the same command structure and data exfiltration methods. However, it delivers its payload in the form of shell scripts, indicating a potential focus on deeper system infiltration and lateral movement within compromised networks.
Although the macOS version of HZ Rat supports only four basic commands—execute_cmdline, write_file, download_file, and ping—these commands are more than sufficient to carry out a range of malicious activities. For instance, the execute_cmdline command allows the attackers to run arbitrary shell commands on the victim’s device, potentially enabling them to take full control of the system.
During Kaspersky’s investigation, they intercepted commands from the C2 server that were designed to collect a wide array of data from the victim’s device. This includes:
- System Integrity Protection (SIP) status
- Detailed system and device information
- Local IP addresses and network configurations
- Bluetooth and Wi-Fi network data
- Hardware specifications and storage details
- Lists of installed applications
- User information from WeChat and DingTalk
The backdoor also attempts to harvest sensitive user data, such as WeChat IDs, emails, and phone numbers stored in plain text on the victim’s device. For DingTalk users, the malware goes a step further, seeking out detailed organizational information, including the user’s department, corporate email, and phone number.
The infrastructure supporting the macOS variant of HZ Rat is extensive, with four active C2 servers identified during the investigation. While most of these servers are located in China, a few have been traced to the United States and the Netherlands, suggesting a global operation. Notably, some of the IP addresses used by the attackers have previously been associated with malware targeting Windows systems, indicating that the threat actors behind HZ Rat have been active for some time and are now expanding their operations.
A particularly intriguing aspect of the investigation is the discovery that the installation package was uploaded from a domain associated with MiHoYo, a prominent Chinese video game developer. While it remains unclear how the package ended up on this domain, it raises the possibility that the attackers may have compromised MiHoYo’s infrastructure or found another way to leverage the company’s reputation to distribute their malware.
The backdoor was found disguised within a seemingly legitimate OpenVPN installation package. Once installed, HZ Rat collects a wide array of user and system information, including WeChat IDs, email addresses, phone numbers, employer details, hardware specifications, and even passwords stored in Google Password Manager.
While the primary function observed so far is data collection, experts warn that HZ Rat’s full capabilities may not yet be fully understood. The potential for lateral movement and the use of private C2 addresses raise significant concerns about the malware’s potential for wider-scale espionage and future attacks.
