Background of HZ RAT Malware
The HZ RAT (Remote Access Trojan) is a type of malicious software designed to gain unauthorized access to devices. It has been targeting users since June 2020, specifically focusing on macOS users of Chinese messaging apps like DingTalk and WeChat. Initially, it was detected by German cybersecurity firm DCSO in 2022.
Distribution Methods
HZ RAT is distributed using two primary methods: through malicious RTF documents and disguised installers for legitimate software. RTF documents exploit an old Microsoft Office flaw, CVE-2017-11882, to deploy the malware. The disguised installers mimic legitimate software such as OpenVPN, PuTTYgen, and EasyConnect. These installers execute a Visual Basic Script that launches the RAT, effectively tricking users into installing the backdoor.
Functional Capabilities
Once installed, HZ RAT connects to a command-and-control (C2) server to receive instructions. Its capabilities include:
- Executing shell commands to gather system information.
- Writing and sending files to the server.
- Harvesting credentials and conducting system reconnaissance.
- Checking the victim's availability and collecting personal data, such as WeChatID, email, and phone number.
Targeted Data and Infrastructure
Attackers interested in DingTalk focus on corporate data, including organization name, department, username, and contact details. The attack infrastructure mainly consists of C2 servers located in China, with a few in the U.S. and the Netherlands. The malware package was also traced back to a domain of miHoYo, a Chinese video game developer.
Implications and Current Status
The persistent use of HZ RAT underlines its effectiveness in data collection and potential to further exploit victim networks. Kaspersky's latest findings suggest the malware remains active, with its macOS version continuing to be a threat. Users of the targeted messaging apps should remain vigilant and employ security measures to protect against these threats.
