A new technique by the Lazarus Advanced Persistent Threat (APT) group has been used by the threat actor to smuggle malicious code onto macOS systems, using custom extended attributes.
This innovative method, observed by Group-IB, bypasses traditional security measures, enabling malicious code to remain concealed and undetected.
Extended attributes, often used to store additional file metadata, are now being leveraged by Lazarus to hide and execute malware on targeted systems.
Evolution of Malware Concealment
The group’s recent malware samples suggest they are experimenting with extended attributes to avoid detection, much like a previous technique used in 2020, where Bundlore adware concealed its payload in resource forks. However, Lazarus’s new approach takes advantage of extended attributes, which are more versatile in modern macOS systems.
Among the Lazarus-developed malware discovered was “RustyAttr,” a Trojan crafted using the Tauri framework. Tauri allows developers to build applications that blend a web frontend with a Rust backend, which has the potential to run stealthily on macOS.
By hiding malicious code within extended attributes and then executing it using Tauri’s built-in interface commands, Lazarus circumvents many antivirus protections. Notably, this malware remains fully undetected on VirusTotal.
Read more on macOS malware: Cthulhu Stealer Malware Targets macOS With Deceptive Tactics
Deceptive Tactics and User Distraction
The research also found that Lazarus’s malware includes various decoy elements, such as PDFs related to project development or cryptocurrency, and fake system messages.
The decoys are intended to mislead users while the malware executes in the background, fetching additional malicious scripts from command-and-control (C2) servers associated with Lazarus since 2024. Some files even referenced previous Lazarus campaigns, like the RustBucket malware from 2023.
Key findings from Group-IB’s analysis include:
-
Code smuggling using extended attributes, a technique not yet cataloged in the MITRE ATT&CK framework
-
The discovery of RustyAttr, a macOS trojan built with the Tauri framework
-
The use of fake decoys and dialogs to distract users while malicious scripts are executed
-
A moderate confidence level in attributing this activity to Lazarus, as no direct victims were identified
At present, Apple’s Gatekeeper prevents unsigned or unnotarized applications from running. However, if victims override these protections, they could unwittingly enable Lazarus’s malware to deploy.
Cybersecurity experts urged users to stay cautious when prompted to download files from unfamiliar sources and to keep Gatekeeper protections enabled, as disabling these may leave macOS systems vulnerable to such attacks.
Image credit: DenPhotos / Shutterstock.com