Kaspersky researchers have identified a macOS variant of the HZ Rat backdoor targeting users of WeChat and DingTalk, two popular Chinese messaging platforms. The malware, first detected on Windows systems, now threatens macOS, potentially enabling lateral network movement and data theft.

The macOS version of HZ Rat is distributed through a fake “OpenVPN Connect” application installer. This installer contains the legitimate VPN client along with two malicious files: the backdoor itself and a script that launches the backdoor together with the VPN client. Once the backdoor is started, it connects to the attackers’ server using a predetermined list of IP addresses, with all communication encrypted to avoid detection.

“Kaspersky expert analysis shows the macOS backdoor gathers information such as the victim’s username, work email address and phone number from DingTalk and WeChat’s unprotected data files,” said Sergey Puzan, malware analyst at Kaspersky. “While the malware is currently only collecting data, some versions use local IP addresses to communicate with the attackers’ server, hinting at the potential for lateral movement within the victim’s network. This also suggests that the attackers may be planning targeted attacks.”

HZ Rat was first discovered in November 2022, when DCSO researchers discovered the Windows version of the malware. The discovery of the macOS HZ Rat variant indicates the group behind the earlier Windows attacks is still active. While their ultimate goals are not yet clear, the collected data could be used to gather intelligence for staging future attacks.

For more details about the HZ Rat case, please visit Securelist.com.

To mitigate the risks of malware infections like HZ Rat, Kaspersky recommends the following:

  • It’s safer to download your apps only from official stores. Apps from these markets are not 100% failsafe, but at least they get checked by shop representatives and there is some filtration system — not every app can get into these stores.
  • Approach your protection with utter diligence and consider additional hardening options. Use cybersecurity solutions with application, Web and device controls which limit the use of unsolicited apps, websites and peripherals, significantly reducing infection risks even in cases where employees use shadow IT or make mistakes due to lack of cybersafe habits.  
  • To protect the company against a wide range of threats, use solutions from Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organisations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
  • Use a strong security solution on all your personal computers and mobile devices, such as Kaspersky PremiumKaspersky solutions are regularly awarded, leading in independent tests.
  • Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities.