www.intego.com Open in urlscan Pro
2606:4700::6812:16a  Public Scan

URL: https://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/
Submission: On September 17 via api from IN — Scanned from US

Form analysis 2 forms found in the DOM

GET https://www.intego.com/mac-security-blog/

<form role="search" method="get" id="searchform" action="https://www.intego.com/mac-security-blog/">
  <label class="assistive-text" for="s">Search for:</label>
  <input type="search" placeholder="Search the Blog" value="" name="s" id="s">
  <input type="image" src="https://www.intego.com/mac-security-blog/wp-content/themes/starkers-html5-master/images/btn_search.png" id="searchsubmit" class="btn">
</form>

GET /api/1/subscribe

<form action="/api/1/subscribe" method="GET">
  <input type="hidden" name="newsletter[]" value="mac_security">
  <div class="submit-ct">
    <label for="newsletter_email" class="placeholder-fallback">Email address:</label>
    <input type="text" name="email" value="" id="newsletter_email" title="Enter email address" placeholder="Email address" class="email">
    <input type="submit" value="Submit" class="submit" title="Submit">
  </div>
</form>

Text Content

Intego Logo
 * Buy Now


MENU ☰

 * Our Products
   Mac
   Windows
   
   
   INTEGO HOME PRODUCTS
   
   COMPATIBLE WITH MACOS VENTURA!
   
   Mac Internet Security X9
   Mac Premium Bundle X9
   
   
   INTEGO HOME PRODUCTS
   
   Security
   VirusBarrier X9
   NetBarrier X9
   Privacy
   ContentBarrier X9
   Intego Privacy Protection New
   Utility
   Mac Washing Machine X9
   Personal Backup 10.9
   
   
   INTEGO HOME WINDOWS PRODUCTS
   
   COMPATIBLE WITH WINDOWS 7, 8, 10 AND 11
   
   Intego Antivirus
   Intego Privacy Protection
   
      Intego Home Products
    *   Mac Premium Bundle X9
    *   Mac Internet Security X9
      Intego Home Windows Products
    *   Intego Antivirus
    *   Intego Privacy Protection
      

 * For Business
 * Blog
 * Support
    * Customer Support
    * Knowledge Base
    * Downloads
    * Submit Malware
    * Contact Support
    * Check Your Requests
    * Upgrade
    * Renew
    * Request A Quote

 * My Account
 * Buy Now

The Mac Security Blog
Search for:

SHARE

Shares
Tweets
Shares
Pins
Print

Malware


NEW MACOS MALWARE HZ RAT GIVES ATTACKERS BACKDOOR ACCESS TO MACS

Posted on September 5th, 2024 by Joshua Long



There’s a new family of Mac malware, and—surprise!—it isn’t primarily a stealer
this time. HZ RAT is macOS malware that gives remote attackers complete control
of an infected Mac.

Here’s everything you need to know to stay safe from this new Mac malware
threat.


WHAT DOES HZ RAT DO?

HZ RAT is a remote access Trojan (RAT)—a tool that gives an attacker full remote
administration privileges. The earliest known version of this RAT was observed
in 2022 targeting Windows PCs, and now it has arrived on the Mac.

In general, an attacker who controls a RAT can send commands to an infected
system just as though they were sitting in front of it. This can potentially
include downloading and running additional tools and malware, taking
screenshots, logging keystrokes, and more. RATs also allow attackers to do all
the typical things stealer malware does—i.e. collecting and exfiltrating
sensitive data.

Data collection appears to be one of the main purposes of HZ RAT in particular.
The Mac version makes a list of which apps are installed and collects user
information from WeChat and DingTalk (Mac apps commonly used in China). It also
gathers the username and site combinations from Google Password Manager.

While the collected Google Password Manager data doesn’t include passwords, the
username-and-site pairs could potentially be used along with leaked passwords
from past data breaches; unfortunately, many people reuse passwords across
multiple sites.


HOW DOES HZ RAT SPREAD?

It isn’t yet known how victims may have encountered HZ RAT installers in the
first place. However, one known Trojan horse that installs HZ RAT is a
maliciously modified version of OpenVPN Connect, a common VPN app.

It’s possible that this Trojan horse might be distributed through means such as
malicious Google Ads that appear at the top of search results (a very common
malware distribution tactic in 2024). Or it might be distributed in more
targeted, watering-hole style attacks, or through some other distribution
method.

In any case, it’s important to always download apps from the App Store (if
available there) or from the original developer’s site (which, ideally, you’ve
already visited and bookmarked, so you don’t have to Google it).


HOW CAN I KEEP MY MAC SAFE FROM RATS AND OTHER MALWARE?

If you use Intego VirusBarrier, you’re already protected from this malware.
Intego detects these samples as OSX/HZRat.ext.

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a
powerful solution designed to protect against, detect, and eliminate Mac
malware.

If you believe your Mac may be infected, or to prevent future infections, it’s
best to use antivirus software from a trusted Mac developer. VirusBarrier is
award-winning antivirus software, designed by Mac security experts, that
includes real-time protection. It runs natively on both Intel- and Apple
silicon-based Macs, and it’s compatible with Apple’s current Mac operating
system, macOS Sonoma.

One of VirusBarrier’s unique features is that it can scan for malicious files on
an iPhone, iPad, or iPod touch in user-accessible areas of the device. Just
attach your iOS or iPadOS device to your Mac via a USB cable and open
VirusBarrier.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer
protected from malware.


INDICATORS OF COMPROMISE (IOCS)

Following are SHA-256 hashes of malware samples from this campaign:

0cca3449ff12cb75c9fd9cf4628b5d72f5ac67d1954dc97d9830436207c4c917
1400210f2eedab36caff8ce89d6d19859ba3116775981b2be8b5069ef109c2c3
1e07585f52be4605be0459bc10c67598eebe8c5d003d6e2d42f4dbbd037e74c1
5d78fc86a389247d768a6bdf46f3e4fd697ed87c133b99ee6865809e453b2908
6210ec0e905717359e01358118781a148b6d63834a54a25a95e32e228598c391
74c92a7bc5f909f4e36d65ee1eb254c438f47f1a7d559d7629bccafd2d2979db
7af7422edf7c558b6215489c020673e195e5eedd99ae330bb90066924f5cf661
87393d937407a6fe9e69dad3836e83866107809980e20a40ae010d7d72f90854
c689113a9a2fca2148caa90f71115c2c2bafeac36edebde4ffc63f87619033a9
d006d5864108094a82315ee60ce057afc8be09546ffaa1f9cc63a51a96764114
d9b0fcd3b20a82b97b4c74deebc7a2abb8fd771eaa12aaf66bdd5cdeaa30f706
e02e264a745e046f2a85ad90698fdd241c7902e73572a54995a8b20349bef940
eb7a8ddf8fc13efcc4785226d0085379399c088604a8a451b8800b11e836a5af
f39aafb9489b9b60b34e3d4e78cd9720446b6247531b81cbd4877804b065a25f
f3c101cd1e7be4ce6afe5d0236bfdd5b43870ff03556908f75692585cfd55c55
ffeed91c223a718c1afd6d8f059a76ec97eb0eae6c4b2072b343be1b4eba09b8

This malware campaign leverages the following command-and-control (C2) IP
addresses, most of which appear to be located in China:

20.60.250[.]230
29.40.48[.]21
47.100.65[.]182
58.49.21[.]113
111.21.246[.]147
113.125.92[.]32
120.53.133[.]226
123.232.31[.]206
218.65.110[.]180
218.193.83[.]70

Network administrators can check logs to try to identify whether any computers
may have attempted to contact these IPs in recent weeks, which could indicate a
possible infection.


DO SECURITY VENDORS DETECT THIS BY ANY OTHER NAMES?

Other antivirus vendors’ names for this malware may include variations of the
following:

A Variant Of OSX/HZRat.A, ABBackdoor.PNBT-, Backdoor:MacOS/HZRat.A,
Backdoor.HZRat/OSX!1.10239 (CLASSIC), BackDoor.Rat.504,
Backdoor/OSX.HZRat.57832, Backdoor/OSX.HZRat.65736, Backdoor/OSX.HZRat.81033750,
Gen:Variant.Trojan.MAC.HZRat.1 (B), HEUR:Backdoor.OSX.HZRat.a,
HEUR:Backdoor.OSX.HZRat.gen, MacOS:Agent-ANR [Trj], MacOS:HZRat-A [Trj],
MacOS/ABTrojan.AWJF-, MacOS/ABTrojan.BFPE-, MacOS/ABTrojan.DIJE-,
MacOS/ABTrojan.FYPM-, MacOS/ABTrojan.JIKJ-, MacOS/ABTrojan.MAOD-,
MacOS/ABTrojan.NRFK-, MacOS/ABTrojan.RCIO-, MacOS/ABTrojan.RQNI-,
MacOS/ABTrojan.SZVP-, MacOS/ABTrojan.URYF-, MacOS/ABTrojan.XYJG-,
MacOS/ABTrojan.ZCRE-, MacOS/ABTrojan.ZYUF-, Malware.OSX/GM.Agent.IJ,
Malware.OSX/GM.HZRat.WL, Osx.Backdoor.Hzrat.Azlw, Osx.Backdoor.Hzrat.Bdhl,
Osx.Backdoor.Hzrat.Cgow, Osx.Backdoor.Hzrat.Cwnw, Osx.Backdoor.Hzrat.Iajl,
Osx.Backdoor.Hzrat.Kjgl, Osx.Backdoor.Hzrat.Lajl, Osx.Backdoor.Hzrat.Lcnw,
Osx.Backdoor.Hzrat.Mqil, Osx.Backdoor.Hzrat.Msmw, Osx.Backdoor.Hzrat.Ogil,
Osx.Backdoor.Hzrat.Qimw, Osx.Backdoor.Hzrat.Xtjl, Osx.Backdoor.Hzrat.Zimw,
Osx.Backdoor.Hzrat.Zmhl, OSX.Trojan.Gen, OSX/Agent, OSX/GM.Agent.IJ,
OSX/HCSSET.ext, OSX/HZRat-A, OSX/HZRat.A!tr, OSX/RootRat, TROJ_FRS.0NA103HU24,
Trojan ( 0040f50d1 ), Trojan:MacOS/HzRat.A!MTB, Trojan:MacOS/Multiverze,
Trojan.MAC.Generic.119695 (B), Trojan.MAC.Generic.119751 (B),
Trojan.MAC.Generic.119785 (B), Trojan.MAC.Generic.D1D38F,
Trojan.MAC.Generic.D1D3C7, Trojan.MAC.Generic.D1D3E9, Trojan.OSX.Hzrat,
Trojan.OSX.HZRat.4!c, Trojan.OSX.HZRat.m!c, Trojan.Trojan.MAC.HZRat.1,
Trojan[Backdoor]/MacOS.HZRat, Trojan[Backdoor]/OSX.HZRat.gen,
UDS:Backdoor.OSX.HZRat, UDS:DangerousObject.Multi.Generic, XAR/ABTrojan.MJTT-

Is your Mac Secured?
Check out Intego’s store and find the right product for you.
Secure Your Digital Life Now





HOW CAN I LEARN MORE?

For more technical details about this malware, you can read Sergy Puzan’s
report.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the
latest Apple news, including security and privacy stories, and offer practical
advice on getting the most out of your Apple devices. Be sure to follow the
podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac
Security Blog for the latest Apple security and privacy news. And don’t forget
to follow Intego on your favorite social media channels:       


SHARE THIS:

 * Twitter
 * Facebook
 * 


ABOUT JOSHUA LONG

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned
security researcher and writer, and an award-winning public speaker. Josh has a
master's degree in IT concentrating in Internet Security and has taken
doctorate-level coursework in Information Security. Apple has publicly
acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh
has conducted cybersecurity research for more than 25 years, which is often
featured by major news outlets worldwide. Look for more of Josh's articles at
security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon.
View all posts by Joshua Long →
This entry was posted in Malware and tagged Malware, Trojan Horse. Bookmark the
permalink.





POPULAR STORIES

 * Porn blackmail "sextortion" emails: Have you been hacked? A new scam
 * The Complete Guide to Apple Watch Bands in 2024: Sizing, Styles, and More
 * How to Install macOS Sequoia on Unsupported Macs, for Security Improvements
 * How to Prepare Your Mac to Upgrade to macOS Sequoia: the Ultimate Guide




FOLLOW INTEGO





RECOMMENDED

 * Security & Privacy
   What to do after a data breach—and how to avoid getting hacked—in 9 easy
   steps
 * Security & Privacy
   When does an old Mac become unsafe to use?
 * Apple
   When does an old iPhone become unsafe to use?
 * How To
   Data Backup Plan: How to Implement the 3-2-1 Backup Strategy




SUBSCRIBE

Sign up for a Free Mac Security Newsletter to stay updated.

Email address:





APPLE NEWS

 * How to Use Two-Factor Authentication for Your Apple Account and iCloud
   Account
 * How to Choose the Right iPhone for You in 2024
 * Apple Introduces iPhone 16, Apple Watch 10, and New AirPods
 * Which Apple Watch is Right for You in 2024?

Related posts:

 1. Mac stealer malware Realst disguises itself as video games, is macOS
    Sonoma-ready



SECURITY PRODUCTS FOR HOME

 * Mac Internet Security X9
 * Mac Premium Bundle X9
 * ContentBarrier X9
 * ContentBarrier Secure X9
 * Mac Washing Machine X9
 * Mac Washing Machine Secure X9
 * Intego Antivirus for Windows
 * Intego Privacy Protection

SECURITY PRODUCTS FOR BUSINESS

 * VirusBarrier X9
 * NetBarrier X9

SUPPORT

 * Knowledge Base
 * Downloads
 * Submit Malware
 * Contact Support
 * Check Your Requests

MAC RESOURCE CENTER

 * New Mac User Center
 * Malware Definitions
 * Glossary of Terms
 * Why Trust a PC Vendor?
 * Free Mac Antivirus

COMPANY

 * News
 * Careers
 * Awards
 * Partners
 * Privacy Policy
 * Terms of Use
 * Submission Policy
 * Contact Us

DOWNLOADS AND UPGRADES

 * Renew
 * Upgrade
 * Buy Now
 * Free Trial
 * Student Discount

FIND US

 * Facebook
 * Twitter
 * LinkedIn
 * YouTube

SITEMAP

Intego Logo
 * Privacy Policy | Terms of Use

Copyright © 2023 Intego
Microsoft and Windows are trademarks of the Microsoft group of companies


 * English
 * Français
 * Deutsch
 * 日本語
 * Español

Get Offer