The North Korean threat group Lazarus was observed attempting to smuggle code using custom extended file attributes via a new macOS trojan called "RustyAttr."
In a Nov. 13 blog post, Group-IB researchers explained that they have only encountered a few samples of the trojan in the wild and cannot confirm any victims, adding that it’s possible that Lazarus has been experimenting with methods for concealing code within the macOS files.
The researchers said they anticipate that this tool could potentially be used in future attacks after it has been made further robust with code signing, notarization, obfuscation, and a more inconspicuous custom attribute name. RustyAttr was built using the Tauri framework, which lets developers build lightweight desktop apps using web technologies — apps that will fetch and execute the malicious script located in the extended attributes.
According to Group-IB, extended file attributes are metadata that can be associated with files and directories in various file systems. They let users store additional information about a file beyond the standard attributes like file size, timestamps, and permissions.
Hackers use these macOS extended file attributes to hide malicious code within custom metadata, which makes it difficult for security tools to detect, explained Jason Soroko, senior fellow at Sectigo. The real danger lies in the stealthiness of this method, said Soroko, as traditional antivirus software may not recognize the threat.
“This lets attackers infiltrate systems and execute malicious payloads undetected,” Soroko said. “Security teams should implement monitoring techniques that scrutinize file attributes, regularly update threat detection algorithms, and increase awareness of unconventional malware delivery methods like those employing the Tauri framework.”
Eric Schwake, director of cybersecurity strategy at Salt Security, said this new malware delivery technique serves as a reminder that attackers continuously evolve their methods to bypass traditional security measures. Schwake said the theat actor has evaded detection by concealing malicious code within custom file metadata and employing decoy documents.
“Security teams must remain vigilant and adopt a proactive approach to defend against such threats,” said Schwake. “This includes implementing advanced threat detection solutions capable of analyzing file metadata and identifying anomalies, regularly updating security tools and policies, and educating users about the risks of opening suspicious files or clicking on unknown links.”
