A new malware called RustDoor is targeting macOS users. The malware has been undetected for 3 months, and poses as a Microsoft Visual studio Update.

The malware was discovered by Bitdefender. A report by the popular antivirus maker says that RustDoor, is written in the Rust programming language. Bitdefender products identify the malware as Trojan.MAC.RustDoor.

RustDoor was first discovered in November 2023. Bitdefender says that the malware is still making rounds on the internet, the latest sample was spotted on February 2nd, 2024. The RustDoor malware impersonates a Visual Studio Update, to trick the user to download it. The fake update contains FAT binaries with Mach-0 files that can affect both Intel based Macs and Apple Silicon Macs. But the files do not have other parents like Application Bundles, Disk Images, possibly to remain hidden from the user.

The samples were identified by the following names: zshrc2, Previewers, VisualStudioUpdater, VisualStudioUpdater_Patch, VisualStudioUpdating, visualstudioupdate and DO_NOT_RUN_ChromeUpdates.

Fake updates are not a new technique, attackers have used such tricks in the past to infect Windows users. Over the past couple of years, they have also begun targeting Mac users with sophisticated methods. In fact, a similar trick was used to distribute the Atomic Stealer malware on macOS, which was delivered via fake browser updates. The unsuspecting user might believe it to be a genuine update for their browser, and the malware infects their computer.

RustDoor malware's Capabilities

Bitdefender says that multiple variants of RustDoor exist, and that they share some functionalities. The malware is able to persist and employs sandbox evasion techniques to bypass macOS' security.

The researcher notes that Rust's syntax and semantics differ from common programming languages like C, Python, which can make it harder for researchers to analyze and detect the malicious code. This in turn could help the malware to evade detection, which might explain why it has been roaming undetected for the past three months.

The source code of the RustDoor malware contains commands that allow it to gather and upload files. It also gathers information about the computer. Some configurations of the malware have specific instructions about the data that it will collect, including the maximum number of files, size of the files, lists of targeted extensions and directories, and the folders that will be excluded. The malicious script is designed to exfiltrate data from Documents, Desktop folders, the user's notes, and these are copied to a destination folder. The files are compressed into a ZIP archive and the payload is sent to a command-and-control server (C2). The malware is also capable of downloading files from the server to compromise the security of the system. A total of 4 C2 servers seem to have been used in the attack, three of which have been previously associated with a ransomware group.

Bitdefender says that it does not have enough data to attribute the RustDoor campaign to a specific threat actor. But the report says that the artifacts and indicators of compromise (IoCs) suggest that it could be linked to the BlackBasta and (ALPHV/BlackCat) ransomware operators who have targeted Windows PCs in the past.