macOS HZ RAT Targets Chinese Messaging Users

Lilu Anderson
Photo: Finoracle.net

Background of HZ RAT Malware

The HZ RAT (Remote Access Trojan) is a type of malicious software designed to gain unauthorized access to devices. It has been targeting users since June 2020, specifically focusing on macOS users of Chinese messaging apps like DingTalk and WeChat. Initially, it was detected by German cybersecurity firm DCSO in 2022.

Distribution Methods

HZ RAT is distributed using two primary methods: through malicious RTF documents and disguised installers for legitimate software. RTF documents exploit an old Microsoft Office flaw, CVE-2017-11882, to deploy the malware. The disguised installers mimic legitimate software such as OpenVPN, PuTTYgen, and EasyConnect. These installers execute a Visual Basic Script that launches the RAT, effectively tricking users into installing the backdoor.

Functional Capabilities

Once installed, HZ RAT connects to a command-and-control (C2) server to receive instructions. Its capabilities include:

  1. Executing shell commands to gather system information.
  2. Writing and sending files to the server.
  3. Harvesting credentials and conducting system reconnaissance.
  4. Checking the victim's availability and collecting personal data, such as WeChatID, email, and phone number.

Targeted Data and Infrastructure

Attackers interested in DingTalk focus on corporate data, including organization name, department, username, and contact details. The attack infrastructure mainly consists of C2 servers located in China, with a few in the U.S. and the Netherlands. The malware package was also traced back to a domain of miHoYo, a Chinese video game developer.

Implications and Current Status

The persistent use of HZ RAT underlines its effectiveness in data collection and potential to further exploit victim networks. Kaspersky's latest findings suggest the malware remains active, with its macOS version continuing to be a threat. Users of the targeted messaging apps should remain vigilant and employ security measures to protect against these threats.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.