Insights, news, education and announcements from PolySwarm

HZ Rat MacOS Variant

Written by The Hivemind | Sep 13, 2024 6:19:08 PM

Executive Summary

A MacOS variant of HZ Rat was recently discovered targeting messaging apps in China. HZ Rat is a basic backdoor, and shell commands received from the C2 provide additional functionality.

Key Takeaways

  • A MacOS variant of HZ Rat was recently discovered targeting messaging apps in China.
  • HZ Rat is a basic backdoor capable of connecting to the command and control (C2), executing shell commands, writing a file to disk, sending files to the C2, and checking the victim’s availability. 
  • The MacOS variant almost exactly replicates the original variant’s functionality, while the payload was adapted to receive commands in the form of shell scripts.
  • Additional shell commands received from the C2 allow threat actors to perform additional actions, including stealing WeChat and DingTalk information and obtaining data from Google Password Manager. 

What is HZ Rat?

A MacOS variant of HZ Rat was recently discovered targeting messaging apps in China. Securelist reported on HZ Rat. 

HZ Rat was first observed in 2022 but may have been active since at least October 2020. The original variant was distributed using self-extracting ZIP files or malicious RTF files. It targeted Windows systems and received commands as PowerShell scripts. It is a basic backdoor capable of connecting to the command and control (C2), executing shell commands, writing a file to disk, sending files to the C2, and checking the victim’s availability. 

The MacOS variant of HZ Rat is similar to the Windows variant. It almost exactly replicates the original variant’s functionality, while the payload was adapted to receive commands in the form of shell scripts. HZ Rat is delivered in a file named OpenVPNConnect.pkg, and the installer is a wrapper for the legitimate OpenVPN Connect app. In addition to the legitimate application, the package directory contains two files, exe and init. 

When the application is opened, the system determines which file to run. The file named exe is launched first. It is a shell script that runs the init file and launches the OpenVPN application. The file named init is the HZ Rat backdoor. Once launched, HZ Rat connects to the C2. Communication with the C2 is encrypted. Additional shell commands received from the C2 allow threat actors to determine SIP status, obtain additional system and device information, obtain a list of applications, steal WeChat and DingTalk information, and obtain data from Google Password Manager. DingTalk information targeted includes the name of the organization where the victim works and the victim's department, username, corporate email address, and phone number. WeChat information of interest includes the victim’s WeChatID, email, and phone number. 

It is interesting to note that some HZ Rat samples use local IP addresses to connect to the C2, indicating the threat may be targeted. It also shows that the threat actor’s likely intent was to use HZ Rat for lateral movement in the victim's environment. While HZ Rat has not been attributed to a particular threat actor, Securelist notes that whoever is responsible for the MacOS variant of HZ Rat is likely the same threat actor responsible for previously observed HZ Rat activity.  

IOCs

PolySwarm has a sample of HZ Rat.

 

d006d5864108094a82315ee60ce057afc8be09546ffaa1f9cc63a51a96764114

 

You can use the following CLI command to search for all HZ Rat samples in our portal:

$ polyswarm link list -f HZRat

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post