A recent development in the cybersecurity landscape has revealed a new technique utilized by the Lazarus Advanced Persistent Threat (APT) group to infiltrate macOS systems with malicious code. This innovative method, detected by Group-IB, involves the use of custom extended attributes to smuggle and execute malware, evading traditional security measures and remaining undetected.
Extended attributes, typically employed to store additional file metadata, are now being leveraged by Lazarus to conceal and run malicious code on targeted macOS systems. This evolution in malware concealment marks a significant shift in the group’s tactics, as they experiment with new ways to bypass detection. Similar to a technique observed in 2020 where Bundlore adware concealed its payload in resource forks, Lazarus’s approach using extended attributes offers increased versatility on modern macOS systems.
Among the malware samples attributed to Lazarus is “RustyAttr,” a Trojan developed using the Tauri framework. Tauri enables developers to create applications that integrate a web frontend with a Rust backend, allowing for stealthy execution on macOS. By embedding malicious code within extended attributes and leveraging Tauri’s interface commands to execute it, Lazarus can evade many antivirus protections, with the malware remaining undetected on VirusTotal.
In addition to utilizing extended attributes for code smuggling, Lazarus’s malware incorporates deceptive tactics to distract and mislead users. Decoy elements such as project development-related PDFs and fake system messages are designed to divert attention while the malware operates in the background, fetching additional malicious scripts from Lazarus’s command-and-control servers. Some files even reference previous Lazarus campaigns, adding to the deception.
Key findings from Group-IB’s analysis include the use of extended attributes for code smuggling, the discovery of RustyAttr trojan built with the Tauri framework, the deployment of fake decoys and dialogs for user distraction, and a moderate confidence level in attributing this activity to Lazarus. While Apple’s Gatekeeper provides protection against unsigned or unnotarized applications, users are advised to exercise caution when downloading files from unfamiliar sources and to keep Gatekeeper protections enabled to prevent macOS systems from being vulnerable to such attacks.
As cybersecurity experts emphasize vigilance and adherence to security protocols, it is crucial for users to remain cautious and informed about potential threats targeting macOS systems. By staying informed and maintaining security measures, users can safeguard their devices against sophisticated cyber threats like those orchestrated by the Lazarus APT group.