New macOS Threat Emerges: DingTalk and WeChat Spread HZ RAT
Experts at Kaspersky Lab have identified a new threat targeting macOS users in China: the HZ RAT backdoor, previously known only in its Microsoft Windows variant. The Trojan is being disseminated through popular Chinese messaging platforms such as DingTalk and WeChat, posing a significant risk to data security.
Researcher Sergey Puzan noted that the functionality of HZ RAT on macOS nearly mirrors that of the Windows version, with the primary difference being the method of delivering the malicious code. The malware receives instructions from a C2 server, which include executing PowerShell commands, recording and transmitting files, as well as gathering system information.
HZ RAT was first documented by the German company DCSO in November 2022. At that time, the malware was distributed via self-extracting archives or malicious RTF documents crafted with the Royal Road RTF tool. The attackers exploited a vulnerability in Microsoft Office (CVE-2017-11882) to install the malware on victims’ devices.
Another distribution method of HZ RAT involves masquerading as the installation of legitimate software such as OpenVPN or PuTTYgen. In this scenario, alongside the installation of the program, a malicious Visual Basic script is executed, which activates HZ RAT.
The primary objective of HZ RAT is to collect user data, such as credentials and system information. The malware is capable of extracting data from messaging platforms, including WeChat IDs, email addresses, and phone numbers. Of particular interest to the attackers is access to corporate information via DingTalk.
The latest sample of HZ RAT backdoor was uploaded to VirusTotal in July 2023. This variant masquerades as an OpenVPN installer package and, like its Windows counterpart, executes four basic commands: running system commands, recording and transmitting files to the server, and checking the victim’s availability.
The attack infrastructure includes C2 servers predominantly located in China, except for two servers in the United States and the Netherlands. Further analysis revealed that the infected ZIP archive containing the macOS installer package was downloaded from a domain belonging to the Chinese video game developer miHoYo, known for games such as Genshin Impact and Honkai: Star Rail.
It remains unclear how the file ended up on this domain and whether the server infrastructure was compromised. Nonetheless, the ongoing activity of HZ RAT years after its initial discovery indicates a degree of success for the attackers.
According to Sergey Puzan, the macOS version of HZ RAT demonstrates that the cybercriminals behind previous attacks remain active and continue their efforts to harvest user data, with the potential for further propagation across the victim’s network.
