MacOS malware called RustDoor impersonates Visual Studio update

published: Feb. 9, 2024

Take action: If you are using Microsoft Visual Studio on Mac, be very careful about update files and links to MS Visual Studio. Download updates only from Microsoft sources.


Learn More

A novel Rust-based macOS malware, dubbed RustDoor, has been identified as impersonating a Visual Studio update, creating a backdoor threat to macOS systems. This malware has been actively distributed since at least November 2023 and is compatibile with both Intel-based (x86_64) and ARM (Apple Silicon) architectures.

Security researchers have identified a potential connection between RustDoor and the notorious ALPHV/BlackCat ransomware gang, based on the malware's communication with four command and control (C2) servers, three of which have previously been implicated in ransomware attacks.

RustDoor's distribution is disguised as an updater for Visual Studio for Mac—an integrated development environment (IDE) from Microsoft. This approach allows the malware to infiltrate systems under various guises, including misleading names like 'zshrc2,' 'Previewers,' and 'VisualStudioUpdater,' among others.

Once installed, RustDoor exhibits extensive backdoor capabilities, enabling attackers to execute a range of commands for system control and data exfiltration. These include process listing, arbitrary shell command execution, directory navigation, file and directory manipulation, and even the termination of other malware processes. It achieves persistence through modifications to system files, employing Cron jobs and LaunchAgents to ensure it remains active across system reboots.

Bitdefender's analysis reveals three distinct variants of RustDoor, each with unique characteristics and functionalities. The earliest version was observed in early October 2023, followed by a testing version on November 22 and a more sophisticated variant on November 30, which includes advanced features for targeted data exfiltration.

Download domains for the malware

  • https://sarkerrentacars.com/zshrc
  • https://turkishfurniture.blog/Previewers
  • http://linksammosupply.com/zshrc2
  • http://linksammosupply.com/VisualStudioUpdaterLs2
  • http://linksammosupply.com/VisualStudioUpdater

C&C URLs

  • maconlineoffice.com
  • 193.29.13.167
  • 88.214.26.22
  • https://serviceicloud.com

MacOS malware called RustDoor impersonates Visual Studio update