Menace actors have been discovered leveraging a brand new method that abuses prolonged attributes for macOS information to smuggle a brand new malware known as RustyAttr.
The Singaporean cybersecurity firm has attributed the novel exercise with average confidence to the notorious North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps noticed in reference to prior campaigns, together with RustBucket.
Prolonged attributes consult with extra metadata related to information and directories that may be extracted utilizing a devoted command known as xattr. They’re usually used to retailer data that goes past the usual attributes, akin to file dimension, timestamps, and permissions.
The malicious functions found by Group-IB are constructed utilizing Tauri, a cross-platform desktop utility framework, and signed with a leaked certificates that has since been revoked by Apple. They embrace an prolonged attribute that is configured to fetch and run a shell script.
The execution of the shell script additionally triggers a decoy, which serves as a distraction mechanism by both displaying an error message “This app doesn’t assist this model” or a seemingly innocent PDF doc associated to the event and funding of gaming tasks.
“Upon executing the appliance, the Tauri utility makes an attempt to render a HTML webpage utilizing a WebView,” Group-IB safety researcher Sharmine Low stated. “The [threat actor] used some random template pulled off the web.”
However what’s additionally notable is that these internet pages are engineered to load a malicious JavaScript, which then obtains the content material of the prolonged attributes and executes it via a Rust backend. That stated, the faux internet web page is ultimately displayed solely in circumstances the place there aren’t any prolonged attributes.
The tip objective of the marketing campaign stays unclear, particularly in gentle of the truth that there was no proof of any additional payloads or confirmed victims.
“Happily, macOS techniques present some degree of safety for the discovered samples,” Low stated. “To set off the assault, customers should disable Gatekeeper by overriding malware safety. It’s doubtless that some extent of interplay and social engineering shall be essential to persuade victims to take these steps.”
The event comes as North Korean menace actors have been participating in intensive campaigns that purpose to safe distant positions with companies the world over, in addition to trick present workers working at cryptocurrency corporations into downloading malware underneath the pretext of coding interviews.
