Large-scale espionage campaign targeting DingTalk, WeChat MacOS users

As the market share and users of MacOS continue to grow, especially among high-value individual users in enterprises (such as management and R&D personnel), hackers have begun to turn their attention to this platform that was once considered relatively safe. Recently, Kaspersky exposed a large-scale espionage campaign targeting DingTalk and WeChat users on the MacOS platform.

Kaspersky researcher Sergey Puzan discovered that a backdoor malware called HZ RAT has been specially designed for Apple's MacOS system. This version almost completely replicates the functionality of HZ RAT on Windows systems, differing only in the form of the payload. The MacOS version receives instructions through a shell script sent by the attacker's server.

A simple but extremely dangerous backdoor spy program

HZ RAT was first discovered and documented by German cybersecurity firm DCSO in November 2022. The malware is usually spread through self-extracting zip archives or malicious RTF documents generated using the Royal Road RTF weaponization tool. These attack chains deploy Windows versions of the malware through RTF documents, exploiting the Equation Editor vulnerability (CVE-2017-11882) in Microsoft Office that has existed for many years to execute code.

Another way HZ RAT spreads is by disguising itself as a legitimate software installer, such as OpenVPN, PuTTYgen, or EasyConnect. In addition to the normal installation, these disguised software will also execute a Visual Basic script (VBS) that is responsible for launching the RAT (Remote Access Tool).

Although HZ RAT has relatively simple functions, it should not be underestimated. It can connect to the command and control (C2) server to receive further instructions, including executing PowerShell commands and scripts, writing arbitrary files to the system, uploading files to the server, and sending heartbeat information. These functions indicate that HZ RAT may be mainly used for credential theft and system reconnaissance activities.

Research shows that early versions of HZ RAT can be traced back to at least June 2020. DCSO said that the attack activities of this malware have begun at least since October 2020.

New threats for MacOS versions

In the latest sample uploaded to VirusTotal by Kaspersky in July 2023, the malware disguised itself as an OpenVPN Connect installation package ("OpenVPNConnect.pkg"), which, once launched, established contact with the C2 server and executed four basic commands similar to the Windows version:

Execute shell commands (such as system information, local IP address, list of installed apps, DingTalk, Google Password Manager, and WeChat data)

  • Writing a file to disk
  • Sending files to the C2 server
  • Check the victim's availability

"The malware attempts to obtain the victim's WeChatID, email, and phone number from WeChat," Puzan said. "As for DingTalk, the attackers are interested in more detailed victim data, such as the user's organization and department name, username, company email address, and phone number."

The attacks are still ongoing

Further analysis showed that almost all C2 servers were located in China, except for two servers located in the United States and the Netherlands. In addition, the ZIP archive of the MacOS installation package was downloaded from the domain name of miHoYo, a well-known Chinese game development company, which is famous for developing the "Genshin Impact" and "Honkai Impact" series of games. It is not clear how the file was uploaded to the company's domain name, nor can it be determined whether its servers have been hacked.

The release of a MacOS version of HZ RAT suggests that the same actors are still active. Although the main purpose of this malware is to collect user data, given the private IP addresses included in the samples, it could be used to move laterally within the victim's network in the future.

Through system reconnaissance and credential collection, hackers can further invade user networks and obtain high-value information, such as corporate secrets and personal privacy data.