MacOS users of some of the biggest chat apps around are being hit with new malware scam

If you’re using WeChat or DingTalk, your sensitive data might be at risk

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Chinese macOS users who utilize the DingTalk and WeChat apps to communicate with others are being targeted with new infostealingmalware, experts have warned.

Cybersecurity researchers at Kaspersky analyzed a new malware sample, recently uploaded to VirusTotal, to discover hackers have taken a known infostealer called HZ RAT, and repurposed it for macOS.

HZ RAT has been around for almost half a decade (since 2020), but was first identified by the German cybersecurity outlet DCSO in late 2022. For an infostealer, HZ RAT is relatively rudimentary and unsophisticated. It can connect to a command & control (C2) server, execute PowerShell commands and scripts, write arbitrary files to the target system, upload files, and send system information.

Chinese C2 servers

The Hacker Newsclaims that given its limited functionality, HZ RAT is probably used forcredentialharvesting and system reconnaissance.

Now, someone took it and made an identical copy, just for macOS. “The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server,” Kaspersky said.

Another aspect where Windows and macOS versions are similar is how they end up on the target endpoint to begin with. While Windows variants impersonated legitimate software such as OpenVPN, PuTTYgen, or EasyConnect, macOS versions so far impersonate the OpenVPN Connect client.

The files grabbed with HZ RAT differ, depending on the chat app in use, Kaspersky further explained: “The malware attempts to obtain the victim’s WeChatID, email, and phone number from WeChat," they said. “As for DingTalk, attackers are interested in more detailed victim data: Name of the organization and department where the user works, username, corporate email address, [and] phone number.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

While the identity of the attackers is unknown, the researchers managed to determine where the C2 infrastructure is located. The majority of the servers are based in China, with two found in the US and the Netherlands.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics