Menace actors have been discovered leveraging a brand new approach that abuses prolonged attributes for macOS recordsdata to smuggle a brand new malware known as RustyAttr.
The Singaporean cybersecurity firm has attributed the novel exercise with average confidence to the notorious North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps noticed in reference to prior campaigns, together with RustBucket.
Prolonged attributes confer with extra metadata related to recordsdata and directories that may be extracted utilizing a devoted command known as xattr. They’re typically used to retailer info that goes past the usual attributes, equivalent to file measurement, timestamps, and permissions.
The malicious purposes found by Group-IB are constructed utilizing Tauri, a cross-platform desktop utility framework, and signed with a leaked certificates that has since been revoked by Apple. They embrace an prolonged attribute that is configured to fetch and run a shell script.
The execution of the shell script additionally triggers a decoy, which serves as a distraction mechanism by both displaying an error message “This app doesn’t help this model” or a seemingly innocent PDF doc associated to the event and funding of gaming initiatives.
“Upon executing the applying, the Tauri utility makes an attempt to render a HTML webpage utilizing a WebView,” Group-IB safety researcher Sharmine Low stated. “The [threat actor] used some random template pulled off the web.”
However what’s additionally notable is that these net pages are engineered to load a malicious JavaScript, which then obtains the content material of the prolonged attributes and executes it by way of a Rust backend. That stated, the pretend net web page is ultimately displayed solely in circumstances the place there aren’t any prolonged attributes.
The tip purpose of the marketing campaign stays unclear, particularly in gentle of the truth that there was no proof of any additional payloads or confirmed victims.
“Fortuitously, macOS techniques present some degree of safety for the discovered samples,” Low stated. “To set off the assault, customers should disable Gatekeeper by overriding malware safety. It’s doubtless that some extent of interplay and social engineering can be essential to persuade victims to take these steps.”
The event comes as North Korean risk actors have been participating in in depth campaigns that goal to safe distant positions with companies internationally, in addition to trick present workers working at cryptocurrency firms into downloading malware underneath the pretext of coding interviews.