macOS data exfiltration malware poses as an update for Visual Studio code editor.

Door with directions to use the back door with arrow
Source: Medicimage Education via Alamy Stock Photo

Researchers have discovered a new backdoor targeting macOS that appears to have ties to an infamous ransomware family that historically targets Windows systems.

Researchers at Bitdefender say the so-called Trojan.MAC.RustDoor is likely linked to BlackCat/ALPHV. The newly discovered backdoor is written in Rust coding language and impersonates an update for Visual Studio code editor.

Bitdefender in its advisory said there have been multiple variants of the new backdoor, and that it has been in action for at least three months.

The macOS malware gathers data from the Desktop and Documents folders, along with user notes, and then compresses the information into a ZIP archive and sends it to a command-and-control (C2) server.

"While the current information on Trojan.MAC.RustDoor is not enough to confidently attribute this campaign to a specific threat actor, artifacts and IoCs (indicators of compromise) suggest a possible relationship with the BlackBasta and (ALPHV/BlackCat) ransomware operators," Bitedefender researcher Andrei Lapusneau wrote in the company's report. "Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients."

The researcher also noted the ALPHV/BlackCat ransomware is likewise written in Rust. The BlackCat/ALPHV ransomware group traditionally has favored Windows targets such as Microsoft Exchange Services.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights