Lazarus Uses New RustyAttr Malware To Target macOS Systems
As per recent media reports, the Lazarus threat actor group has been observed leveraging the new RustyAttr malware to target macOS devices. It’s worth noting that the tactical and infrastructural aspects of the attack overlap with previous attack campaigns including RustyBucket. In this article, we’ll look at the techniques that were used during the attack and those implemented to evade afterward. Let’s begin!
New RustyAttr Malware Initial Discovery
The most recent activities of the Lazarus group, during which the RustyAttr malware was used, were initially discovered by the Group-IB. According to the details, shared by the cybersecurity company, Lazarus has now started to smuggle code using custom extended attributes.
Before we dive into more details, it’s essential to know that extended attributes are the metadata associated with files and directories in various file systems. Using the meta elements, users can store additional information. This additional information goes beyond the standard attributes and includes size, timestamps, and permission.
Commenting on previous use of such a technique, cybersecurity experts have stated that:
“While researching malware abusing extended attributes, the most similar technique found was one back in 2020, where Bundlore adware hid its payload in resource forks, and accessed via the special path `filename/..namedfork/rsrc`.”
It’s worth noting that a resource fork is a special part of a file found on older and classic macOS systems. These systems are known for storing structured data associated with the file. A few common examples of the stored attributes include file-specific settings, icons, and/or custom window layouts.
These resource forks aren’t present in modern macOS systems and have been replaced with extended attributes and application bundle structures. As of now experts have seen several RustyAttr malware exploit attempts, but do not have confirmation of victims and it’s believed that threat actors may be experimenting with various methods to conceal code.
Although victims have not been confirmed, the prevalence of active exploits entails those keen on ensuring protection be familiar with the RustyAttr malware details. Some of the most noteworthy aspects of the initial discovery include:
- The identification of a new technique where code is smuggled using extended attributes.
- This technique had not been used in the MITRE ATT&CK framework yet.
- The discovery of a new macOS trojan dubbed RustyAttr.
- The trojan being developed on the Tauri framework and originally being signed with a leaked certificate which had later been revoked.
- The files being undetectable on VirusTotal.
- The activity attributed to APT Lazarus at a moderate confidence level.
macOS Malware: Flow Of Execution
Before we dive into the details of the execution flow, it’s essential to know that it functions based on different aspects that include:
- The application bundle.
- Malicious script with extended attributes and a Tauri-based application contained with the bundle.
- Flow and execute operations between the malicious scripts and the rust backend.
- Communication between the backend and the web page.
It’s worth noting that while the extended attributes of the RustyAttr malware are not directly seen in the Finder and the Terminal, the cybersecurity experts were able to extract and view them using “xattr.” As a result of this, the security was able to confirm that threat actors used the extended attributes of custom type “test” during the RustyAttr malware attack.
Tauri Framework And The “Offending” Application
Details from the security firm’s report entail that the malicious application used in the RustyAttr malware attack was developed using the Tauri framework. This framework is used for developing desktop applications that are lightweight and use web technologies. By using this framework, developers can create applications while leveraging Rust for the backend.
Meanwhile, common programming languages like HTML, CSS, and JavaScript are utilized for developing the front end of the web application. The app used in the RustyAttr malware, is responsible for fetching and executing the malicious script located in the extended attributes contained in the initial application bundle payload. Experts have added that:
“After examining the shell scripts, we know that decoys will be displayed. We identified two different types of decoys. For the first type of decoy, it actually fetches a PDF file from a file hosting service at filedn[.]com.
The questions inside the “Investment Decision-Making Questionnaire” are related to development and funding of game projects. The second decoy is just a dialog displaying a message that “This app does not support this version”. Meanwhile, the web request to the staging server processes in the background.”
While the second decoy is an error message, the exact questions contained with the first decoy file include:
- What is the target market for the project? Is there a significant demand for this type of evolved, modular shooter game?
- How does the project differentiate itself from other shooter games in the market? What unique features or gameplay mechanics does it offer?
- Who are the experienced members of the development team behind the project? Do they have a successful track record in the gaming industry?
- What is the projected timeline for development and release of the project? Is it realistic and achievable?
It’s worth noting that another PDF that was found hosted on the file service was a different questionnaire titled “Questionnaire for T3rn Investment.” The document had questions about technology and scalability and smart contact registry.
Threat Actor Launching The Attack
As far as the execution is concerned, reports entail that the threat actor used a roundabout approach to launch the RustyAttr malware attack. A possible aim for such an approach may be to reduce visibility and facilitate evasion. Once executed, the RustyAttr application attempts to render an HTML webpage via WebView. Experts state that:
“The TA used some random template pulled off the internet. However within these webpages, we observed that there was an additional suspicious javascript named “preload.js” loaded.”
Those keen on ensuring protection must know that such an approach is feasible for tasks requiring performance on direct system access that JavaScript can not handle. Interface commands that were used for invoking, fetching, and executing the RustyAttr malware script include:
Command | Purpose |
get_application_path | Acquire the path of the current executable. |
get_application_properties | Get the content from the specified extended attributes. |
run_command | Execute the command/scripts. |
show_main_window | Show WebView |
close_main_window | Kill and exit. |
It’s worth noting that the files used in the RustyAttr malware remained undetected on VirusTotal. This is likely because of the fact that they were concealed in the attributes. As of now, macOS Gatekeeper has prevented the execution of these files.
However, users still have the option to override the permission. Some of the key protection measures that can help users ensure protection against threats like the RustyAttr malware include:
- Staying alert to any requests that seek the download, access, or execution of files.
- Verifying the source and ensuring trustworthiness before downloading files.
- Keeping the macOS Gatekeeper enabled and not using applications from unidentified developers.
Conclusion
The RustyAttr malware demonstrates a sophisticated new approach by Lazarus, leveraging extended attributes and the Tauri framework to target macOS systems. This technique, which involves smuggling malicious code into metadata, highlights the group’s evolving tactics to evade detection and reduce visibility.
While macOS Gatekeeper provides a critical layer of protection, users must remain vigilant by avoiding unverified applications and adhering to security best practices. The discovery of this malware emphasizes the importance of constant monitoring and swift action to counter advanced threats.
As Lazarus continues to innovate in its campaigns, cybersecurity measures must also adapt to stay one step ahead of such evolving tactics. Stay alert, stay informed, and ensure your systems remain secure!
The sources for this piece include articles in The Hacker News and Group-IB.