Understanding the HZ Rat Exploits on MacOS Systems

Hz RAT Malware Targets MacOS Users via WeChat, Exploiting Vulnerabilities to Control Devices.

“MacOS Under Siege: HZ Rat Exploits WeChat to Target Corporate Users”

Exploring the HZ Rat: A New Threat to macOS Users on WeChat and DingTalk

As the digital landscape evolves, so too does the nature of cyber threats. macOS, long celebrated for its robust security features, is facing a new challenge that underscores the vulnerability even the most reputed systems can encounter. Cybersecurity experts at Kaspersky Lab have unearthed a disturbing development: the HZ Rat, a formidable backdoor malware, has extended its reach to macOS users, exploiting popular messaging platforms like WeChat to infiltrate systems.

Initially identified in June 2024, the macOS variant of HZ Rat mirrors its Windows counterpart, which has been compromising systems since November 2022. This malware specifically targets users of corporate instant messenger DingTalk and social messaging platform WeChat. What sets the macOS version apart is its method of payload delivery—through shell scripts orchestrated from a command and control (C2) server. Intriguingly, some variants of this backdoor utilize local addresses linked to the C2, hinting at targeted attacks with potential for lateral movements within compromised networks.

The transition of HZ Rat from a Windows-focused threat to a cross-platform menace began with its detection in macOS environments in July 2023. Disguised ingeniously as OpenVPN Connect (OpenVPNConnect.pkg), it evaded detection by all vendors on VirusTotal at the time of discovery. The components of this malware are deceptive in their simplicity: a standard OpenVPN application, a shell script labeled ‘exe’, and an initiating file named ‘init’. The control servers, predominantly located in China and utilizing port 8081 and geographical specificity of the attack.

The operational mechanics of the backdoor are equally sophisticated. Developed in C++, it initiates sessions using a random 4-byte ‘cookie’ and executes four primary commands: running shell commands, writing or downloading files, and checking availability through pings. According to Securelist’s report, this malware harvests extensive system information such as SIP status, hardware specifics, IP addresses, connected Bluetooth devices, WiFi networks, storage details, and application lists. It also extracts user data from WeChat and employee data from DingTalk files like orgEmployeeModel and sAlimailLoginEmail.

One alarming aspect of HZ Rat is its focus on data extraction from Google Password Manager, although the full scope of its capabilities remains shrouded in mystery due to some inactive file transfer commands. The source of this malware links back to a notorious domain, raising suspicions about potential data leaks and broader implications for cybersecurity.

This expansion of HZ Rat into macOS territory via platforms like WeChat signals a worrying trend. Hackers are increasingly targeting systems previously considered secure, leveraging everyday communication tools to deploy their malicious activities. For macOS users, particularly those in corporate environments where sensitive data is abundant, this development is a stark reminder of the persistent and evolving threat landscape.

As we navigate this digital age, the discovery of HZ Rat on macOS serves as a critical wake-up call. Users must remain vigilant, update security protocols regularly, and be wary of the software they install—even when it appears legitimate. The battle against cyber threats is ongoing, and staying informed is our best defense against these insidious attacks that know no bounds.