February 9, 2024 By Bill Toulas
A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang.
The campaign delivering the backdoor started since at least November 2023 and is still underway distributing newer variants of the malware.
Written in Rust, the malware can run on Intel-based (x86_64) and ARM (Apple Silicon) architectures, say researchers at cybersecurity company Bitdefender, who are tracking it as RustDoor.
Potential link to ransomware operations
While analyzing RustDoor, malware researchers at Bitdefender discovered that the malware communicated with four command and control (C2) servers.
Looking at threat intelligence data, the analysts found that three of them had been used in attacks potentially linked to ransomware attacks from an ALPHV/BlackCat affiliate.
However, the researchers highlight that this is insufficient evidence to confidently link the use of RustDoor to a particular threat actor and that "artifacts and IoCs [indicators of compromise] suggest a possible relationship with the BlackBasta and ALPHV/BlackCat ransomware operators."
With cybercriminals having less freedom in choosing their infrastructure and being restricted to hosting services that provide anonymity and condone illegal activity, it is common for multiple threat actors to use the same servers for attacks.
While encryptors for the macOS system exist, builds for Apple M1 from LockBit created before December 2022, there are no public reports at this time of ransomware attacking Apple's operating system.
Most operations target Windows and Linux systems as enterprise environments use servers running these operating systems.
