Kaspersky researchers have identified a macOS variant of the HZ Rat backdoor targeting users of WeChat and DingTalk, two popular Chinese messaging platforms. The malware, first detected on Windows systems, now threatens macOS, potentially enabling lateral network movement and data theft.
The macOS version of HZ Rat is distributed through a fake “OpenVPN Connect” application installer. This installer contains the legitimate VPN client along with two malicious files: the backdoor itself and a script that launches the backdoor together with the VPN client. Once the backdoor is started, it connects to the attackers’ server using a predetermined list of IP addresses, with all communication encrypted to avoid detection.
“Kaspersky expert analysis shows the macOS backdoor gathers information such as the victim’s username, work email address and phone number from DingTalk and WeChat’s unprotected data files,” says Sergey Puzan, malware analyst at Kaspersky. “While the malware is currently only collecting data, some versions use local IP addresses to communicate with the attackers’ server, hinting at the potential for lateral movement within the victim’s network. This also suggests that the attackers may be planning targeted attacks.”
HZ Rat was first discovered in November 2022, when DCSO researchers discovered the Windows version of the malware. The discovery of the macOS HZ Rat variant indicates the group behind the earlier Windows attacks is still active. While their ultimate goals are not yet clear, the collected data could be used to gather intelligence for staging future attacks.