“HZ RAT: From Windows Threat to Mac Menace – Your Data, Their Control”
Understanding HZ RAT: The Evolution of a Remote Access Trojan from Windows to Mac
The tools of cybercriminals are becoming more sophisticated and menacing. A prime example of this alarming trend is the HZ RAT, a remote access trojan that has been lurking in the shadows of the internet since at least 2020, primarily targeting Windows-based devices. However, in a concerning turn of events, this malware has recently been upgraded and has now set its sights on Mac users as well.
Originally, RATs like HZ RAT are employed by attackers to gain complete control over a target computer. They often sneak onto devices disguised as benign email attachments or bundled with seemingly legitimate applications, such as video games. Once installed, they grant attackers full administrative capabilities, allowing them to execute nearly any malicious activity from afar. On September 5, Intego, a renowned security firm, revealed that a new version of HZ RAT specifically designed to infiltrate macOS environments had been detected in the wild. This revelation is particularly troubling given that prior reports have traced the origins of HZ RAT back to China, although Intego itself has not confirmed these attributions.
The transition of HZ RAT from targeting only Windows PCs to also attacking Macs marks a significant escalation in the threat landscape for Apple users. According to a detailed report by Moonlock, this RAT is capable of spying on users and pilfering sensitive data. However, it’s not just any data stealer; its sophistication and persistence make it a formidable tool in the arsenal of cyber adversaries. The malware can capture screenshots, record keystrokes, extract data from Google Password Manager, and target user information from popular Chinese Mac apps like WeChat and DingTalk.
Once HZ RAT establishes itself on a device, it connects to a command-and-control server to fetch further malicious instructions. This connection enables the attacker to upload and download files, write arbitrary files to the system, and execute commands remotely. The methods suspected of spreading this new Mac malware include watering hole attacks, deceptive Google Ads, and impersonating legitimate websites.
From a compromised Mac, HZ RAT can gather an extensive array of information including local IP addresses, Bluetooth device data, Wi-Fi networks details, hardware specifications, storage information, and even lists of applications installed on the device. While it does not directly harvest passwords from Google Password Manager, there is a suspicion that cybercriminals might combine stolen usernames and other data with password leaks sourced from the dark web.
The overarching goal behind deploying HZ RAT remains shrouded in mystery, primarily revolving around extensive data collection. What adds to the worry is that many security providers have yet to detect this version of malware effectively. Moreover, Intego’s investigation uncovered a malware sample masquerading as the OpenVPN Connect VPN app, further complicating the detection process. An analysis conducted in 2022 on the Windows variant of HZ RAT identified numerous Chinese IP addresses and domains linked to this malicious operation—about 80% of which were active but unreachable.
In light of these developments, Mac users are advised to exercise increased caution. It is crucial to download software only from trusted sources like the Apple App Store and keep both operating systems and security applications up-to-date. Staying alert to suspicious emails, links, or attachments is more important than ever as cyber threats continue to evolve and adapt.