Full Report
UPDATE: Following our initial release, we have been contacted by our fellow researchers at Jamf who were able to identify three more samples that act like first-stage payloads. They are responsible for downloading the backdoor: * e7cab6f2be47940bf36e279bbec54ec7 - Jobinfo.app.zip * 26d6a7e3507edf9953684d367dcd44bd - Jobinfo.zip * 775851f86cbde630808ff6d2cf8cedbf - Jobinfo.zip Combined with information in our previous research, the investigation of these samples revealed new components of t
Analysis Summary
# Tool/Technique: Rust-based macOS Backdoor (Trojan.MAC.RustDoor.*) and Associated Payloads
## Overview
This summary covers a previously undocumented backdoor targeting macOS users, attributed to the malware family identified by Bitdefender as `Trojan.MAC.RustDoor.*`. The attack chain involves initial-stage payloads disguised as fake job offerings or Visual Studio updates, which download and execute the main Rust-written backdoor. A separate, older attack vector using fake job offerings was also uncovered, utilizing shell scripts and compiled Apple Scripts to deploy Golang-based discovery binaries.
## Technical Details
- Type: Malware family (Backdoor, Downloader)
- Platform: macOS (x86\_64 Intel and ARM architectures)
- Capabilities: Remote command execution, environment discovery, C2 communication, file dropping/execution.
- First Seen: Initial samples traced back to early November 2023; job-offering samples released Oct. 13, 2023.
## MITRE ATT&CK Mapping
The following mappings are derived from the observed behaviors:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.002 - Binary Padding
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Implied via LaunchAgents/LaunchDaemons discovery)
- **TA0009 - Collection**
- T1083 - File and Directory Discovery (Used `diskutil list`)
- T1005 - Data from Local System (Gathering system profiles and kernel parameters)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Distribution:** Delivered as FAT binaries (Mach-O for Intel and ARM), sometimes impersonating Visual Studio Updates or fake job offerings.
- **Initial Access:** Some variants use zip archives containing shell scripts or compiled Apple Scripts to execute the next stage.
- **Execution Chain:** For job-offering samples, shell scripts download the backdoor and a decoy PDF (confidentiality agreement). For one specific variant, an application bundle uses a digitally signed FAT binary (`com.id.jobinfo`) to launch secondary compiled Apple Scripts (`main.scpt` via `CocoaAppletAppDelegate.scpt`).
- **System Discovery (Golang Binaries):** Dedicated Go binaries (`DataCollector`, `psaux`, `erp_soft`) collect extensive system information using native macOS utilities.
### Advanced Features
- **Environment Probing:** Uses `system_profiler SPSoftwareDataType SPHardwareDataType`, `networksetup -listallnetworkservices`, `networksetup -listallhardwareports`, `launchctl list` (for persistence checks), `diskutil list`, and `sysctl -a` to gather deep system configuration.
- **C2 Communication:** Features two primary user-defined functions in the Go binaries: `main.execCommand` and `main.sendDataToServer`.
- **C2 Endpoint Disclosure:** C2 infrastructure supports listing bots (`GET /client/bots`), retrieving task results (`GET /tasks/result/`), creating new tasks (`POST /tasks/create`), and documentation viewing (`GET /redoc`).
- **Impersonation:** Uses decoy PDF files to distract analysis related to the job-offering scheme.
- **Codebase:** The primary backdoor is written in Rust.
## Indicators of Compromise
- File Hashes (Initial Stage Job Payloads):
- `e7cab6f2be47940bf36e279bbec54ec7`
- `26d6a7e3507edf9953684d367dcd44bd`
- `775851f86cbde630808ff6d2cf8cedbf`
- File Hashes (Golang Binaries):
- `a91f92bb993fad6ccbd3fd4bb953f963`
- `abdfe38311b621f54511b2afa434266e`
- `95a42a8c422c333c60467460479c66ba`
- `08ae923c3c6b7e94b61402ae8c0c396b`
- File Hashes (Visual Studio Variants - Selected Examples):
- `6dd3a3e4951d34446fe1a5c7cdf39754`
- `90a517c3dab8ceccf5f1a4c0f4932b1f`
- `52a9d67745f153465fac434546007d3a`
- File Names (Visual Studio Variants): `zshrc2`, `Previewers`, `VisualStudioUpdater`, `VisualStudioUpdater_Patch`, `VisualStudioUpdating`, `visualstudioupdate`, `DO_NOT_RUN_ChromeUpdates`
- File Names (Job Info Payloads): `Jobinfo.app.zip`, `Jobinfo.zip`
- Network Indicators:
- `sarkerrentacars[.]com`
- `maconlineoffice[.]com`
- `serviceicloud[.]com`
- `193[.]29[.]13[.]167`
- `88[.]214[.]26[.]22`
- Associated Download Scripts:
- `784d3a3a51ff811b4035ac72a9122ed3` (Shell script downloader)
- `3fe70007c81f6938d872f0acdc7703ff` (Compiled Apple script)
- `b74a98c673102db8f63e8139041728f5` (Decompiled Apple script)
- Associated Download Domains:
- `https://sarkerrentacars[.]com/zshrc`
- `https://turkishfurniture[.]blog/Previewers`
- `http://linksammosupply[.]com/zshrc2`
- `http://linksammosupply[.]com/VisualStudioUpdaterLs2`
- `http://linksammosupply[.]com/VisualStudioUpdater`
## Associated Threat Actors
The report does not explicitly name a threat actor, but the targets include companies in the **crypto-currency space**.
## Detection Methods
- Signature-based detection (Bitdefender identifies this as `Trojan.MAC.RustDoor.*`).
- Detection using hashes of the identified Mach-O and initial ZIP/Application Bundle files.
- Behavioral detection focusing on the execution of bundled shell scripts or AppleScripts downloaded via suspicious ZIP archives.
- Yara rules targeting artifact strings or characteristics specific to Rust or Go binaries utilizing the noted command structures for system profiling.
## Mitigation Strategies
- **Application Control:** Restrict execution of unsigned or non-standard FAT binaries, especially those delivered via untrusted zip archives.
- **System Hardening:** Enforce strict controls over which applications can interact with `launchctl` to modify persistence mechanisms.
- **Network Filtering:** Block C2 domains and IPs listed above.
- **User Awareness:** Educate users regarding fake job offerings and unsolicited software updates (e.g., Visual Studio updates) delivered outside official channels.
## Related Tools/Techniques
- Other macOS droppers/backdoors exhibiting multi-architecture support (FAT binaries).
- Use of compiled AppleScript for payload execution, indicative of prior macOS threat development.
- The Golang binaries share functionality with general-purpose reconnaissance tools often used for initial access stages.