New Malware Mimic as Visual Studio Update to Attack macOS users

A brand recent backdoor written in Rust has been learned to focus on macOS users with loads of attention-grabbing parts. Moreover, there were 3 variants of backdoor learned masquerading below the title of Visible Studio Replace.

The backdoor is disbursed as FAT binaries with Mach-O recordsdata for x84_64 Intel and ARM architectures. To boot as to this, the backdoor dates support to early November 2023, with the newest sample being learned on Feb 2nd, 2024.

Malware Mimic as Visible Studio Replace

Bitdefender talked about that , many of the samples have the identical core functionalities with minute variations. A checklist of identified samples is as follows:

• zshrc2
• Previewers
• VisualStudioUpdater
• VisualStudioUpdater_Patch
• VisualStudioUpdating
• visible studio update
• DO_NOT_RUN_ChromeUpdates

The total variants toughen the next commands

• ps
• shell
• cd
• mkdir
• rm
• rmdir
• sleep
• add
• botkill
• dialog
• taskkill
• fetch

Variant 1

This became once learned to be a test model of the backdoor identified by the plist file (test.plist). Alternatively, the embedded plist file became once learned to be replica-pasted from a public writeup that describes the mechanisms and sandbox evasion tactics for macOS.

Variant 2

The different of recordsdata on this 2d variant has loads of huge recordsdata containing a fancy JSON configuration alongside with an embedded Apple Script for extracting the info. This Apple script had been learned with loads of variants, all of them meant for recordsdata exfiltration purposes.

Moreover, the configuration alternatives fetch a checklist of purposes to be impersonated to spoof the administrator password with a dialog box.

Variant zero

This became once the oldest model that first regarded on November 11, 2023. Since this became once the earliest model of the backdoor, it lacks the Apple script and embedded configurations.

Bitdefender has printed a entire portray on a backdoor that has been traced support to the BlackBasta and (ALPHV/BlackCat) ransomware operators. The portray contains in-depth recordsdata on the backdoor’s diversified variants, samples, supply code, and other connected little print.

Indicators of Compromise

Binaries

• 6dd3a3e4951d34446fe1a5c7cdf39754 (VisualStudioUpdater_Patch)
• 90a517c3dab8ceccf5f1a4c0f4932b1f (VisualStudioUpdater_Patch)
• b67bba781e5cf006bd170a0850a9f2d0 (VisualStudioUpdating)
• f5774aca722e0624daf67a2da5ec6967 (VisualStudioUpdater_Patch)
• 52a9d67745f153465fac434546007d3a (Previewers)
• 30b27b765878385161ca1ee71726a5c6 (DO_NOT_RUN_ChromeUpdates)
• 1dbc26447c1eaa9076e65285c92f7859 (visualstudioupdate)
• 05a8583f36599b5bc93fa3c349e89434 (VisualStudioUpdater)
• 5d0c62da036bbe375cb10659de1929e3 (VisualStudioUpdater)
• 68e0facbf541a2c014301346682ef9ca (VisualStudioUpdater)
• b2bdd1d32983c35b3b1520d83d89d197 (zshrc2)
• 5fcc12eaba8185f9d0ddecafae8fd2d1 (zshrc2)
• 97cd4fc94c59121f903f2081df1c9981
• 28bdd46d8609512f95f1f1b93c79d277
• 3e23308d074d8bd4ffdb5e21e3aa8f22
• 088779125434ad77f846731af2ed6781
• b67f6e534d5cca654813bd9e94a125b9
• cf54cba05efee9e389e090b3fd63f89b
• 44fcf7253bcf0102811e50a4810c4e41
• 690a097b0eea384b02e013c1c0410189
• 186be45570f13f94b8de82c98eaa8f4f
• 3c780bcfb37a1dfae5b29a9e7784cbf5
• 925239817d59672f61b8332f690c6dd6
• 9c6b7f388abec945120d95d892314ea7
• 85cd1afbc026ffdfe4cd3eec038c3185
• 6aaba581bcef3ac97ea98ece724b9092
• bcbbf7a5f7ccff1932922ae73f6c65b7
• bde0e001229884404529773b68bb3da0
• 795f0c68528519ea292f3eb1bd8c632e
• bc394c859fc379900f5648441b33e5fd
• 0fe0212fc5dc82bd7b9a8b5d5b338d22
• 835ebf367e769eeaaef78ac5743a47ca
• bdd4972e570e069471a4721d76bb5efb

Download domains

• https[:]//sarkerrentacars[.]com/zshrc
• https[:]//turkishfurniture[.]weblog/Previewers
• http[:]//linksammosupply[.]com/zshrc2
• http[:]//linksammosupply[.]com/VisualStudioUpdaterLs2
• http[:]//linksammosupply[.]com/VisualStudioUpdater

C&C URLs

• maconlineoffice[.]com
• 193.29.13[.]167
• 88.214.26[.]22
• https://serviceicloud[.]com