A brand new approach by the Lazarus Superior Persistent Risk (APT) group has been utilized by the risk actor to smuggle malicious code onto macOS methods, utilizing customized prolonged attributes.
This modern methodology, noticed by Group-IB, bypasses conventional safety measures, enabling malicious code to stay hid and undetected.
Prolonged attributes, typically used to retailer extra file metadata, are actually being leveraged by Lazarus to cover and execute malware on focused methods.
Evolution of Malware Concealment
The group’s current malware samples counsel they’re experimenting with prolonged attributes to keep away from detection, very like a earlier approach utilized in 2020, the place Bundlore adware hid its payload in useful resource forks. Nonetheless, Lazarus’s new strategy takes benefit of prolonged attributes, that are extra versatile in fashionable macOS methods.
Among the many Lazarus-developed malware found was “RustyAttr,” a Trojan crafted utilizing the Tauri framework. Tauri permits builders to construct purposes that mix an online frontend with a Rust backend, which has the potential to run stealthily on macOS.
By hiding malicious code inside prolonged attributes after which executing it utilizing Tauri’s built-in interface instructions, Lazarus circumvents many antivirus protections. Notably, this malware stays totally undetected on VirusTotal.
Learn extra on macOS malware: Cthulhu Stealer Malware Targets macOS With Misleading Techniques
Misleading Techniques and Consumer Distraction
The analysis additionally discovered that Lazarus’s malware consists of numerous decoy components, corresponding to PDFs associated to undertaking improvement or cryptocurrency, and faux system messages.
The decoys are supposed to mislead customers whereas the malware executes within the background, fetching extra malicious scripts from command-and-control (C2) servers related to Lazarus since 2024. Some recordsdata even referenced earlier Lazarus campaigns, just like the RustBucket malware from 2023.
Key findings from Group-IB’s evaluation embrace:
-
Code smuggling utilizing prolonged attributes, a way not but cataloged within the MITRE ATT&CK framework
-
The invention of RustyAttr, a macOS trojan constructed with the Tauri framework
-
Using faux decoys and dialogs to distract customers whereas malicious scripts are executed
-
A reasonable confidence degree in attributing this exercise to Lazarus, as no direct victims had been recognized
At current, Apple’s Gatekeeper prevents unsigned or unnotarized purposes from operating. Nonetheless, if victims override these protections, they may unwittingly allow Lazarus’s malware to deploy.
Cybersecurity specialists urged customers to remain cautious when prompted to obtain recordsdata from unfamiliar sources and to maintain Gatekeeper protections enabled, as disabling these could depart macOS methods weak to such assaults.
Picture credit score: DenPhotos / Shutterstock.com
