RustDoor macOS Backdoor targets cryptocurrency companies with fake job postings

Cryptocurrency Firms

Several companies operating in the cryptocurrency sector have been targeted by a newly discovered Apple macOS backdoor codenamed RustDoor.

RustDoor was first documented by Bitdefender last week, describing it as a Rust-based malware capable of collecting and uploading files, as well as gathering information about the infected machines. It is distributed by pretending to be a Visual Studio update.

Although previous evidence revealed at least three different variants of the backdoor, the exact initial spread mechanism remained unknown.

That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts responsible for downloading and executing RustBy.


“Some of these first-stage downloaders claim to be PDF files with job postings, but in reality they are scripts that download and run the malware, while also downloading and opening a harmless PDF file that bills itself as a confidentiality agreement,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender, said.

Since then, three more malicious samples have come to light acting as first-stage payloads, all claiming to be job offers. These ZIP archives predate the earlier RustDoor binaries by almost a month.

The new part of the attack chain – i.e. the archive files (“” or “”) – contains a basic shell script responsible for retrieving the implant from a website called turkishfurniture[.]blogging. It is also designed to view a harmless decoy PDF file (“job.pdf”), hosted on the same site, as a distraction.

Fake vacancies

Bitdefender said it also detected four new Golang-based binaries communicating with an actor-controlled domain (“sarkerrentacars[.]com”), the purpose of which is to “collect information about the victim’s machine and its network connections using the system_profiler and network setup utilities, which are part of the macOS operating system.

Additionally, the binaries are capable of extracting details about the disk via “diskutil list” and retrieving a broad list of kernel parameters and configuration values ​​using the “sysctl -a” command.

A closer look at the command-and-control (C2) infrastructure has also revealed a leaky endpoint (“/client/bots”) that allows the collection of details about currently infected victims, including the timestamps at which the infected host was recorded and the last activity was observed.


The development comes as South Korea’s National Intelligence Service (NIS). revealed that an IT organization affiliated with Office No. 39 of the Workers’ Party of North Korea generates illegal income by sale thousands of malware-laced gambling websites to other cybercriminals to steal sensitive data from unsuspecting gamblers.

The company behind the Malware-as-a-Service (MaaS) program is Gyeongheung (also spelled Gyonghung), a 15-member entity based in Dandong that reportedly received $5,000 from an unknown South Korean criminal organization in exchange for creating a single website. and $3,000 per month to maintain the website, Yonhap News Agency reported.

#RustDoor #macOS #Backdoor #targets #cryptocurrency #companies #fake #job #postings

Notify of
Inline Feedbacks
View all comments
Previous Post
Akira Ransomware exploits Cisco ASA/FTD vulnerability

Akira Ransomware exploits Cisco ASA/FTD vulnerability

Next Post
Bulk Smishing Attacks

Malicious ‘SNS Sender’ script abuses AWS for bulk smishing attacks

Related Posts