During the last few months, a significant and alarming development in the cybersecurity field has been the discovery of a new malware strain known as RustDoor that has specifically been designed for macOS users. It is RustDoor's sophisticated and deceptive tactics that set it apart from its counterparts—it masquerades as an update to Visual Studio, a highly regarded integrated development environment.
Many insidious methods of infiltration are especially insidious as they rely on the implicit trust users place in routine software updates to download and install malware on their macOS machines unwittingly. As a clever strategy for posing as a legitimate software update, the RustDoor malware utilizes a crafty method to exploit the trust users already have in well-known and reliable software updates.
This malware is created in an attempt to take advantage of the unaware nature of users who routinely install software updates from their software tools to ensure that they are safe and that their software tools function at their highest level. RustDoor attempts to imitate Visual Studio, one of the staple platforms in software development.
In November 2023, Bitdefender initiated the campaign that rolled out the backdoor, and it is still going on distributing new versions of the backdoor. Research by Bitdefender indicates that Trojan.MAC.RustDoor is likely to be connected to the BlackCat/ALPHV malware. Known for its Rust language code, the newly discovered backdoor pretends to be an update to the Visual Studio code editor and impersonates it.
Several variants of the malware have been identified by Bitdefender, all of which have the same functionality as the backdoor, even if they differ slightly. It is possible to harvest and exfiltrate files in all analyzed samples, as well as gather information about infected machines by using multiple commands. The information is sent to a command-and-control server to generate a victim ID that will be used as part of subsequent communications.
It is likely that the first version of the backdoor, which appeared on November 20, 2023, was merely a test version with no complete persistence mechanism, but also contained a list file named "test" and a list file named "test" and other documents. There were several variants of the malware first observed at the end of November, both of which had larger files and contained complex JSON configurations as well as Apple scripts that would be used to exfiltrate certain documents, as well as a user's notes, from the Documents and Desktop folders.
A malware attack copies the documents into a hidden folder, compresses them into a ZIP archive and sends them to the command and control server in a ZIP archive format. A new Bitdefender discovery has led to the discovery that RustDoor's configuration file contains options that can be used to impersonate different applications, as well as to customize a spoofed administrator password dialogue box.
It is reported that Bitdefender has discovered three variants of RustDoor, the earliest one being seen since the beginning of October 2023, according to Bitdefender. Next, there was an updated version that was observed to be a testing version on November 30 that was found to contain an embedded Apple script that was used to exfiltrate files with specific extensions in the JSON format, this latest version likely was a testing version that preceded an updated version observed on November 22.
This report provides a list of known indicators of RustDoor compromise, which includes binary files and download domains, as well as the URLs and commands for each of the four C&C servers that were discovered by the researchers. This ruse allows RustDoor to gain unauthorized access to a user's system once they install what appears to be a genuine update for Visual Studio that appears to be genuine.
The user then has increased exposure to a wide array of malicious activity. Considering that Visual Studio is widely used by professionals, developers, and even individuals, it is safe to say that the effects of RustDoor go beyond the individual users. There is a serious risk of large-scale attacks using this malware that could have profound consequences, realizing the critical importance of monitoring.