On the DNS Trail of the Rise of macOS Backdoors | WhoisXML API

Threat Reports

On the DNS Trail of the Rise of macOS Backdoors

The number of malware, including backdoors, specifically targeting macOS rose by more than 50% from 2022 to 2023.1 We analyzed two of them—RustDoor and KandyKorn.

The first backdoor, RustDoor,2 was said to have ties to a Windows ransomware operator while the second, KandyKorn,3 stole data from affected users. We sought to find out how widespread their digital footprints were in the DNS through IoC expansion analyses.

Seven RustDoor IoCs comprising five domain names and two IP addresses led to:

  • Five email-connected domains
  • Four additional IP addresses, one of which turned out to be malicious
  • 72 string-connected domains

Four KandyKorn IP address IoCs led to 28 IP-connected domains, all of which turned out to be malicious

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.securityweek.com/21-new-mac-malware-families-emerged-in-2023/
  • [2] https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/
  • [3] https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/
Try our WhoisXML API for free
Get started