Hackers use macOS extended file attributes to hide malicious code

Hackers use macOS extended file attributes to hide malicious code

November 14, 2024 at 11:16AM

Hackers are using a new technique called RustyAttr to conceal malware in macOS file metadata, evading detection by employing decoy PDFs. This method, reminiscent of Bundlore adware, attributes the samples to North Korean group Lazarus. The malware remains undetected by security agents, indicating an experimental delivery approach.

### Meeting Takeaways

1. **New Malware Technique Identified**:
– Researchers have detected a trojan called **RustyAttr**, which leverages macOS’s extended attributes (EAs) to conceal malicious code.

2. **Trojan Delivery Method**:
– Malicious code is embedded in custom file metadata, specifically the EA named ‘test’, which contains a shell script.
– The malware utilizes decoy PDF documents to disguise its activity and avoid detection.

3. **Similarity to Previous Malware**:
– This technique recalls the **Bundlore adware** incident in 2020, which similarly hid payloads using resource forks.

4. **Attribution to Lazarus Group**:
– Group-IB researchers attribute the malware to North Korean threat actor **Lazarus** with moderate confidence, speculating it may represent experimentation with new delivery methods.

5. **Evasion of Detection**:
– The method has proven effective against detection tools; malicious files went unflagged on the **Virus Total** platform.

6. **Technical Details**:
– The malware is built using the **Tauri framework**, allowing a combination of web-based frontend technology (HTML, JavaScript) with a Rust backend.
– When executed, it pulls command information from the EA and runs it via a JavaScript function.

7. **Decoy Strategies**:
– Some samples feature decoy PDFs or errant dialogs to lessen user suspicion, with PDF files linked to cryptocurrency investment topics aligned with Lazarus’ historical targets.

8. **App Certification and Infection Flow**:
– The malicious apps were signed with a revoked leaked certificate but not notarized, which contributed to their ability to pass initial security checks.
– Group-IB could not analyze the next-stage malware, although indications suggest a connection to known Lazarus-controlled servers.

9. **Related Activity by BlueNoroff**:
– There are prevalent parallels with activities from another North Korean group, **BlueNoroff**, using cryptocurrency-oriented phishing tactics for malware distribution on macOS.
– Both groups seek to exploit vulnerabilities in macOS, utilizing sophisticated evasion techniques.

### Next Steps:
– Monitor the evolving tactics of Lazarus and BlueNoroff for potential threats.
– Enhance security measures to detect unusual behaviors in file attributes and app engagements on macOS.

Full Article