Cyber security news for all

More

    New RustyAttr Malware Infiltrates macOS Using Extended Attribute Manipulation

    Cyber adversaries have recently unveiled an innovative tactic, exploiting extended attributes in macOS files to covertly deploy a new malware strain known as RustyAttr.

    Singapore-based cybersecurity firm Group-IB has traced this technique with moderate certainty to the Lazarus Group, a North Korea-affiliated threat actor, noting similarities in infrastructure and methods that align with previous incursions like the RustBucket campaign.

    Extended attributes in macOS serve as supplementary metadata that surpasses basic file properties like size, timestamps, and permissions, accessible through the xattr command. This metadata space is frequently utilized to store non-standard information associated with files and directories.

    The RustyAttr malware, uncovered by Group-IB, is built using Tauri—a cross-platform framework for desktop applications—and signed with a certificate that has since been invalidated by Apple. Embedded within this malware is an extended attribute designed to fetch and execute a shell script.

    Execution of this script also initiates a distraction mechanism, presenting either an error message (“This app does not support this version”) or displaying an innocuous PDF related to game development funding.

    Group-IB’s researcher Sharmine Low explained that the Tauri application attempts to render an HTML page via WebView upon launch. The threat actor appears to have sourced a random template from the internet for these pages, which are rigged to load malicious JavaScript that extracts and executes the extended attribute content through a Rust backend. Notably, the decoy webpage only appears when no extended attributes are detected.

    The ultimate objective of this campaign remains ambiguous, as no secondary payloads or definitive targets have been identified.

    “macOS does offer a degree of security for these samples,” Low noted, adding that the malware’s execution requires users to disable Gatekeeper, thus bypassing standard malware protections. The attack likely necessitates some level of user interaction and social engineering to prompt users into deactivating this safeguard.

    This discovery emerges amid North Korean cyber efforts aimed at infiltrating global businesses through remote positions and convincing employees at cryptocurrency firms to unwittingly install malware under the guise of coding interviews.

    Recent Articles

    Related Stories