macOS Targeted by New Backdoor Linked to ALPHV Ransomware

Researchers have discovered a new backdoor targeting macOS that appears to have ties to an infamous ransomware family that historically targets Windows systems.

Researchers at Bitdefender say the so-called Trojan.MAC.RustDoor is likely linked to BlackCat/ALPHV. The newly discovered backdoor is written in Rust coding language and impersonates an update for Visual Studio code editor.

Bitdefender in its advisory said there have been multiple variants of the new backdoor, and that it has been in action for at least three months.

The macOS malware gathers data from the Desktop and Documents folders, along with user notes, and then compresses the information into a ZIP archive and sends it to a command-and-control (C2) server.

"While the current information on Trojan.MAC.RustDoor is not enough to confidently attribute this campaign to a specific threat actor, artifacts and IoCs (indicators of compromise) suggest a possible relationship with the BlackBasta and (ALPHV/BlackCat) ransomware operators," Bitedefender researcher Andrei Lapusneau wrote in the company's report. "Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients."

The researcher also noted the ALPHV/BlackCat ransomware is likewise written in Rust. The BlackCat/ALPHV ransomware group traditionally has favored Windows targets such as Microsoft Exchange Services.