Malware Mimic as Visual Studio Update to Attack macOS users

A new backdoor written in Rust has been discovered to target macOS users with several interesting features. Moreover, there have been 3 variants of backdoor found masquerading under the name of Visual Studio Update.

The backdoor is distributed as FAT binaries with Mach-O files for x84_64 Intel and ARM architectures. In addition to this, the backdoor dates back to early November 2023, with the latest sample being found on Feb 2nd, 2024. 

Malware Mimic as Visual Studio Update

Bitdefender said that , most of the samples have the same core functionalities with little variations. A list of identified samples is as follows:

• zshrc2
• Previewers
• VisualStudioUpdater
• VisualStudioUpdater_Patch
• VisualStudioUpdating
• visual studio update
• DO_NOT_RUN_ChromeUpdates

All of the variants support the following commands

• ps
• shell
• cd
• mkdir
• rm
• rmdir
• sleep
• upload
• botkill
• dialog
• taskkill
• download

Variant 1

This was found to be a test version of the backdoor identified by the plist file (test.plist). However, the embedded plist file was found to be copy-pasted from a public writeup that describes the mechanisms and sandbox evasion techniques for macOS.

Variant 2

The number of files in this second variant has several large files containing a complex JSON configuration along with an embedded Apple Script for extracting the data. This Apple script had been found with several variants, all of them meant for data exfiltration purposes.

Moreover, the configuration options contain a list of applications to be impersonated to spoof the administrator password with a dialog box.

Variant zero

This was the oldest version that first appeared on November 11, 2023. Since this was the earliest version of the backdoor, it lacks the Apple script and embedded configurations.

Bitdefender has published a comprehensive report on a backdoor that has been traced back to the BlackBasta and (ALPHV/BlackCat) ransomware operators. The report contains in-depth information on the backdoor’s various variants, samples, source code, and other relevant details.

Indicators of Compromise

Binaries

• 6dd3a3e4951d34446fe1a5c7cdf39754 (VisualStudioUpdater_Patch)
• 90a517c3dab8ceccf5f1a4c0f4932b1f (VisualStudioUpdater_Patch)
• b67bba781e5cf006bd170a0850a9f2d0 (VisualStudioUpdating)
• f5774aca722e0624daf67a2da5ec6967 (VisualStudioUpdater_Patch)
• 52a9d67745f153465fac434546007d3a (Previewers)
• 30b27b765878385161ca1ee71726a5c6 (DO_NOT_RUN_ChromeUpdates)
• 1dbc26447c1eaa9076e65285c92f7859 (visualstudioupdate)
• 05a8583f36599b5bc93fa3c349e89434 (VisualStudioUpdater)
• 5d0c62da036bbe375cb10659de1929e3 (VisualStudioUpdater)
• 68e0facbf541a2c014301346682ef9ca (VisualStudioUpdater)
• b2bdd1d32983c35b3b1520d83d89d197 (zshrc2)
• 5fcc12eaba8185f9d0ddecafae8fd2d1 (zshrc2)
• 97cd4fc94c59121f903f2081df1c9981
• 28bdd46d8609512f95f1f1b93c79d277
• 3e23308d074d8bd4ffdb5e21e3aa8f22
• 088779125434ad77f846731af2ed6781
• b67f6e534d5cca654813bd9e94a125b9
• cf54cba05efee9e389e090b3fd63f89b
• 44fcf7253bcf0102811e50a4810c4e41
• 690a097b0eea384b02e013c1c0410189
• 186be45570f13f94b8de82c98eaa8f4f
• 3c780bcfb37a1dfae5b29a9e7784cbf5
• 925239817d59672f61b8332f690c6dd6
• 9c6b7f388abec945120d95d892314ea7
• 85cd1afbc026ffdfe4cd3eec038c3185
• 6aaba581bcef3ac97ea98ece724b9092
• bcbbf7a5f7ccff1932922ae73f6c65b7
• bde0e001229884404529773b68bb3da0
• 795f0c68528519ea292f3eb1bd8c632e
• bc394c859fc379900f5648441b33e5fd
• 0fe0212fc5dc82bd7b9a8b5d5b338d22
• 835ebf367e769eeaaef78ac5743a47ca
• bdd4972e570e069471a4721d76bb5efb

Download domains

• https[:]//sarkerrentacars[.]com/zshrc
• https[:]//turkishfurniture[.]blog/Previewers
• http[:]//linksammosupply[.]com/zshrc2
• http[:]//linksammosupply[.]com/VisualStudioUpdaterLs2
• http[:]//linksammosupply[.]com/VisualStudioUpdater

C&C URLs

• maconlineoffice[.]com
• 193.29.13[.]167
• 88.214.26[.]22
• https://serviceicloud[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.