Insights, news, education and announcements from PolySwarm

RustDoor MacOS Backdoor

Written by The Hivemind | Feb 26, 2024 4:51:18 PM

Related Families: GateDoor
Verticals Targeted: Cryptocurrency

Executive Summary

RustDoor is a new MacOS backdoor written in Rust. RustDoor was observed targeting companies in the cryptocurrency sector.

Key Takeaways

  • RustDoor is a new MacOS backdoor written in Rust. 
  • RustDoor was observed targeting companies in the cryptocurrency sector.
  • GateDoor is a Windows version of RustDoor.
  • RustDoor uses infrastructure linked to the ALPHV ransomware gang, causing industry researchers to speculate whether there is a relationship between the threat actors.

What is RustDoor?

RustDoor is a new MacOS backdoor written in Rust. RustDoor was observed targeting companies in the cryptocurrency sector. The campaign has been active since at least November 2023, and at least three variants of RustDoor have been identified. Bitdefender recently reported on this activity. 

RustDoor, which can run on both Intel-based and Apple Silicon architectures, is stealthily distributed by masquerading as a Visual Studio update. Some of the first-stage downloaders used by RustDoor are disguised as PDF files with job offerings. However, when the victim takes the bait, the scripts download and execute malware while opening a decoy PDF. Other first-stage payloads are distributed as ZIP archives that claim to contain job information. These contain a basic shell script that fetches the implant while displaying a decoy PDF.

RustDoor is capable of exfiltrating and uploading files and obtaining information about infected devices. Bitdefender discovered four related Go-based binaries that collect information about the victim system and its network connections and communicate with an actor-controlled C2. These binaries can also obtain details about the disk and the kernel parameters and configuration values.

Researchers at Bitdefender noted the attacks in this campaign appear to be targeted. So far, only three victims have been confirmed - two in Hong Kong and a third in Lagos, Nigeria.

GateDoor

S2W reportedly discovered RustDoor in December 2023, although Bitdefender is credited with naming the backdoor. S2W researchers also identified a Windows version of RustDoor, which they named GateDoor. GateDoor is written in Go but functions similarly to RustDoor.

Links to Other Threat Actors?

It is interesting to note that RustDoor uses infrastructure linked to the ALPHV ransomware gang, which we featured in a recent Threat Bulletin. Three of the four C2 servers used by RustDoor overlap with infrastructure previously used by ALPHV or an ALPHV affiliate. Industry researchers noted other artifacts and IOCs suggest a possible relationship with BlackBasta. At this time, it is unclear whether the infrastructure is threat actor-controlled or part of a bulletproof hosting service that may be used by multiple unrelated threat actors. 

IOCs

PolySwarm has multiple samples of RustDoor.

 

A69d91cf565e717662d0470183cced3350ba0bb4f91d2ced3f089af3a707c5c3

E86963c94f3c1de1ccfffaa4d192d39881a24df8b175c00fd64a4e076826b76b

43609c813c3084532073a22f24e931f24c04e118dcd972c6c8f0428637d9c0ff

82e88d4203ac35ce4516e937412f60ec48e0ebabf55c1a2531bd16a22da14f05

9a3a9238d0f043d7b806bc138c955112b698ce1161d2bf6c194b1747d6d7cd00

449cc50caf2f4b85c6425fea809aa662b80f17821a8f3dc47fe8586ee56bd1dc

Ba0506213adba3b0878315adbc3c80397ba6483151229a4f5dedf3a62793d130

01534a1849b197c03eb23c27d16ace7fc99778eeaa24953154e4f41afc712032

146f804dd4653429cf94f43d7d6c981d00809a09b5864e52e9c22df90df29c70

996921573bc8d2618eaf4b7532fc1b46074fe5cdc317f5a751fc70b5371362a3

F11b0f67f76b7d49511a6212921901afae5b7ecd2bbc718a3d70f6ccb524903a

F9a4f04d7222afbbadbf2cb417ee9e70733e1dcc2af94ec3cc9b6308a3216f93

698cab82b340f4d67d598dea480daa3a8c96ccaf0c778b36b7073c81c4c71760

C30f634f56000e87c9c4258174ec09ee5bd67d29eca4e78f63c34f976b0272d8

2acd053b854545d381866d471a711d860e84a38cb9f2e13983a74c4044080dc2

B4991bc670ba62c77ffec0a2fe3c445085de822ce8b282265cb24cfbae951ae0

6ea00e7d945e78f28d6043bb5d304e0f56d22ab104c9c74e77d1f8572dc17809

11c998005bcce297b6a0595b97281aca7a587b6bc1e6aa414609812108b3328c

Fe565f4296570a89893828cdd61c6421cf745bab220e21cebce226863d5772a0

20b986b24d86d9a06746bdb0c25e21a24cb477acb36e7427a8c465c08d51c1e4

238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66

 

You can use the following CLI command to search for all RustDoor samples in our portal:

$ polyswarm link list -f RustDoor

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.