New RustDoor malware targets macOS users by posing as a Visual Studio update

Bitdefender researchers have uncovered a new backdoor, dubbed “RustDoor”, written in the Rust programming language and aimed at macOS users. The backdoor masquerades as a Visual Studio update, with all identified files being directly distributed as FAT binaries containing Mach-O files for both x86_64 Intel and ARM architectures.

The earliest traces of RustDoor were found in samples from early November 2023, with the most recent sample detected on February 2nd, 2024. This suggests that the malware has been operating undetected for a minimum of three months. Researchers have also identified multiple variants of the malware, each with minor modifications, indicating that it is still under active development.

RustDoor is equipped with a broad set of commands that enable it to gather and upload files, as well as extract information about the compromised endpoint. The harvested data is subsequently exfiltrated to a command-and-control (C2) server.

The current data on Trojan.MAC.RustDoor is insufficient to definitively attribute this campaign to a specific threat actor. However, artifacts and indicators of compromise (IoCs) suggest a potential link to the BlackBasta and ALPHV/BlackCat ransomware operators. Of note, three of the four identified C2 servers have previously been linked to ransomware campaigns targeting Windows clients. ALPHV/BlackCat, a ransomware family also written in Rust, emerged in November 2021 and has been a pioneer in the public leaks business model.