“Unveiling Stealth: Novel Use of Extended Attributes in macOS by APT Lazarus to Conceal Malicious Codes”
Exploring the Use of Extended Attributes in macOS Malware: A Case Study of RustyAttr by Lazarus Group
In the shadowy corridors of cybersecurity, a novel method of subterfuge has emerged, casting a pall over the relative safety once associated with macOS devices. Researchers have recently unearthed a cunning tactic employed by threat actors to cloak malicious codes within the lesser-known realms of Extended Attributes (EAs) on macOS, effectively sidestepping traditional detection mechanisms. This discovery not only highlights the evolving sophistication of cyber threats but also serves as a stark reminder of the perpetual arms race between cybercriminals and defenders.
Extended Attributes are essentially metadata components that can be attached to file systems’ files and directories, offering a way to store additional information beyond the standard attributes like permissions or timestamps. This feature, while useful for legitimate purposes, has also opened a new avenue for exploitation. The closest parallel to this method was observed back in 2020 when the Bundlore adware was found concealing its payload within resource forks, accessible via a unique path. However, the recent findings suggest a more advanced iteration of this technique.
The dubious honor of this innovation goes to a malware dubbed “RustyAttr,” attributed with medium confidence to the notorious APT Lazarus Group. Despite the limited number of samples detected in the wild, the implications are troubling. The RustyAttr malware leverages the Tauri framework—a toolset for building lightweight web-based desktop applications using technologies like Rust for backend operations and common web languages for the frontend. This blend allows for powerful, versatile applications but, in the wrong hands, becomes a potent weapon.
The modus operandi of RustyAttr involves defining a custom extended attribute type named “test.” Within these attributes, malicious scripts are discreetly embedded, only to be retrieved and executed by the unsuspecting application at runtime. This stealthy execution process is particularly concerning because it leaves virtually no footprint that typical antivirus tools can detect.
Adding to the complexity are the decoys used by RustyAttr. One such decoy fetches a seemingly innocuous PDF titled “Investment Decision-Making Questionnaire” from a file hosting service, which discusses topics related to game project development and funding. Another decoy simply displays a misleading dialog box stating, “This app does not support this version.” These tactics serve dual purposes: validating the application’s functionality to the user and diverting attention from any malicious background activities.
Moreover, when these Tauri applications run, they attempt to render an HTML webpage using WebView, incorporating random templates sourced online. However, nestled within these pages is another suspicious JavaScript file named “preload.js.” This file exploits Tauri’s ‘invoke’ function—an API that facilitates communication between the JavaScript frontend and Rust backend—allowing the hidden malicious code within the extended attributes to be executed seamlessly.
At present, these files remain undetected on platforms like VirusTotal, likely due to their novel concealment method. This invisibility underscores the need for heightened vigilance and robust defensive strategies against such sophisticated threats.
To safeguard against such risks, it is imperative to monitor and scrutinize all file downloads, openings, or executions meticulously. Disabling macOS Gatekeeper or allowing applications from unknown developers can provide these threats with just the loophole they need to infiltrate systems. In this ever-evolving landscape of cybersecurity threats, constant vigilance is not just advisable; it is essential to ensure organizational and personal cybersecurity integrity.
