How to eliminate HZ RAT from compromised devices

What is HZ RAT?

HZ RAT is a backdoor malware targeting macOS users (more precisely, users of DingTalk and WeChat versions for macOS). It is important to note that there is also a Windows version of HZ RAT malware. In order to avoid potential risks, victims should remove the malware from infected computers as soon as possible.

HZ RAT overview

When executed, HZ RAT connects to a command-and-control (C2) server using a list of IP addresses embedded within the backdoor. HZ RAT supports four primary commands: executing shell commands, writing files to disk, sending files to a remote server, and checking the victim's availability.

These commands enable the attacker to perform tasks such as file management and system monitoring on the infected device. Also, HZ RAT can collect certain information about the victim and the system, including IP address, hardware specifications, list of applications, user details from WeChat and DingTalk, data from Google Password Manager, and more.

Furthermore, HZ RAT seeks to extract information from the victim's WeChat account, including their WeChat ID, email, and phone number. For DingTalk, it aims to collect organizational data, such as the user's organization and department names, usernames, corporate email addresses, and phone numbers.

It appears that HZ RAT is focused on gathering user data. Its ability to include private IP addresses suggests it might later be used to expand across networks. The information collected about victims' companies and contacts could be leveraged for espionage and to set up future attacks.

Moreover, the commands supported by HZ RAT imply that cybercriminals may use the malware to inject other harmful software, like ransomware, cryptocurrency miner, or other types of malware.

Conclusion

In conclusion, HZ RAT allows cybercriminals to remotely control infected computers and gather personal and organizational information. Its abilities indicate it could be used for further malicious activities, including deploying other harmful software. Some examples of other malware used to attack macOS users are Cthulhu, Banshee, and BeaverTail.

How did malware infiltrate my computer?

There is evidence that HZ RAT is distributed via deceptive installation packages (e.g., OpenVPNConnect.pkg). These installers pretend to be legitimate apps (e.g., OpenVPN Connect) but actually contain extra files. When the app is launched, the system runs the included files responsible for activating the HZ RAT backdoor.

It is also common for malware to be hidden in pirated software (or cracking tools), delivered via email (malicious links or attachments), malicious advertisements, vulnerabilities in outdated operating systems or programs, technical support scams, and similar avenues.

How to avoid malware

Do not download software from unknown sources or use pirated software, key generators, and cracking tools. Download applications and files from trusted sources, like official websites and app stores. Avoid opening files or links from suspicious emails, and do not engage with ads, pop-ups, or warnings on questionable websites.

Ensure your operating system and all applications are kept up to date, and regularly scan your computer for potential threats. If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate all threats.

HZ RAT's package file contents:

Fake OpenVPN Connect installer containing HZ RAT:

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is HZ RAT?
• Remove HZ RAT related files and folders from OSX.

Unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Frequently Asked Questions (FAQ)

My computer is infected with HZ RAT, should I format my storage device to get rid of it?

Formatting your storage device can effectively remove HZ RAT and other malware. However, formatting will erase all data on your device. Thus, we recommend using Combo Cleaner to scan the operating system and remove detected threats.

What are the biggest issues that malware can cause?

Malware infiltration can lead to problems like monetary loss, identity theft, data encryption, and system crashes. Also, cybercriminals can use malware to steal personal accounts or other malicious purposes,

What is the purpose of HZ RAT?

HZ RAT is designed to provide attackers with remote control over an infected device, allowing them to execute commands, manage files, and monitor the system. It focuses on collecting detailed personal and organizational data, including from WeChat and DingTalk, and can gather system information.

How did HZ RAT infiltrate my computer?

HZ RAT is distributed through deceptive installation packages, which disguise themselves as legitimate apps but contain hidden files that activate the backdoor. It is also commonly spread through pirated software, malicious emails, ads, outdated software vulnerabilities, and technical support scams.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove nearly all known malware infections. However, sophisticated malware often hides deep within the system, so a full scan is necessary to eliminate malware of this kind.