A notorious remote access trojan (RAT) known as HZ RAT, which has been targeting Windows devices since at least 2020, has now been updated to infiltrate macOS environments.
Cybersecurity firm Intego reported this development on September 5, 2024. The malware, historically linked to China, is now being distributed in the wild, posing a significant threat to Mac users.
How HZ RAT Operates
Remote access trojans like HZ RAT disguise themselves as legitimate software downloads. Once the malware is executed on a victim’s device, it establishes a connection with a command-and-control (C2) server controlled by cybercriminals.
This connection allows attackers to take full control of the infected computer, enabling them to perform actions as if they were physically present.
HZ RAT is particularly insidious because it can remain undetected by many security vendors.
It can take screenshots, log keystrokes, and steal data from applications such as Google Password Manager, WeChat, and DingTalk—popular apps among Chinese Mac users. Despite its capabilities, the ultimate motive behind this malware campaign remains unclear.
According to the Moonlock report, the exact distribution method for the macOS version of HZ RAT is still unknown. However, Intego has identified several sites and domains hosting the malware.
Notably, the trojan has been found impersonating the VPN app OpenVPN Connect. Investigations have also linked several Chinese IPs and domains to this campaign.
Security experts advise Mac users to download software exclusively from the official Apple App Store to minimize risk. The malware’s low detection rate among security vendors further complicates efforts to mitigate its spread.
Analysis of HZ RAT reveals that it supports a limited set of commands: executing shell commands, writing files to disk, downloading files to a server, and pinging to check a victim’s availability.
Despite its simplicity, the malware can collect extensive data from compromised devices, including local IP addresses, Bluetooth device data, Wi-Fi network information, hardware specifications, and more.
Of the C2 IP addresses linked to this malware, most seem to be located in China:
- 20.60.250[.]230
- 29.40.48[.]21
- 47.100.65[.]182
- 58.49.21[.]113
- 111.21.246[.]147
- 113.125.92[.]32
- 120.53.133[.]226
- 123.232.31[.]206
- 218.65.110[.]180
- 218.193.83[.]70
Additionally, while HZ RAT does not extract passwords directly from Google Password Manager, attackers are suspected to use stolen credentials obtained from other sources to exploit the data harvested by the malware.
The emergence of HZ RAT as a threat to Mac users underscores the evolving nature of cyber threats and the need for vigilance in cybersecurity practices.
Users are urged to stay informed about potential risks and ensure their devices are protected with up-to-date security measures.
For ongoing updates on cybersecurity threats and tips for protection, consider subscribing to specialized newsletters that provide quick and actionable insights into the latest developments in the field.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial