Apple macOS users are the target of a new Rust-based backdoor that has been operating under the radar since November 2023.
The backdoor, code name RustBy by Bitdefender, has been discovered to impersonate an update for Microsoft Visual Studio and targets both Intel and Arm architectures.
The exact initial access path used to propagate the implant is not currently known, although it is said to be distributed as FAT binaries that contain Mach-O files.
Numerous variants of the malware with minor modifications have been detected so far, likely indicating active development. The first RustDoor sample was on November 2, 2023.
It comes with a wide range of commands that allow it to collect and upload files and gather information about the compromised endpoint.
Some versions also include configurations with details on what data to collect, the list of targeted extensions and directories, and directories to exclude.
The acquired information is then exfiltrated to a command and control (C2) server.
The Romanian cybersecurity firm said the malware is likely linked to major ransomware families such as Black Basta and BlackCat due to overlaps in the C2 infrastructure.
“ALPHV/BlackCat is a ransomware family (also written in Rust), which made its first appearance in November 2021 and pioneered the business model of public data leaks,” said security researcher Andrei Lapusneau.
In December 2023, the US government announced that it had stopped the operation of the BlackCat ransomware and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.