Hackers use macOS extended file attributes to hide malicious code

Hackers are using a novel technique that abuses extended attributes for macOS files to deliver a new trojan that researchers call RustyAttr.

The threat actor is hiding malicious code in custom file metadata and also uses decoy PDF documents to help evade detection.

The new technique is similar to how the Bundlore adware in 2020 hid its payloads in resource forks to hide payloads for macOS. It was discovered in a few malware samples in the wild by researchers at cybersecurity company Group-IB.

Based on their analysis and because they could not confirm any victims, the researchers attribute the samples to the North Korean threat actor Lazarus with moderate confidence. They believe that the attacker may be experimenting with a new malware delivery solution.

The method is uncommon and proved to be efficient against detection, as none of the security agents on the Virus Total platform flagged the malicious files. 

Concealing code in file attributes

macOS extended attributes (EAs) represent hidden metadata typically associated with files and directories, that is not directly visible with Finder or the terminal but can be extracted using the 'xattr' command for showing, editing, or removing extended attributes.

In the case of RustyAttr attacks, the EA name is 'test' and holds a shell script.

Shell script hidden in extended attribute for macOS file
Shell script inside macOS extended attribute
source: Group-IB

The malcious apps storing the EA are built using the Tauri framework, which combines a web frontend (HTML, JavaScript) that can call functions on a Rust backend.

When the application runs, it loads a webpage containing a JavaScript (‘preload.js’) that gets the content from the location indicated in the “test” EA and sends it to the 'run_command' function for the shell script to be executed.

Contents of preload.js
Contents of preload.js
Source: Group-IB

To keep user suspicion low during this process, some samples launch decoy PDF files or display error dialogs.

Decoy PDF hides malicious background activity
Decoy PDF hides malicious background activity
Source: Group-IB

The PDF is fetched from a pCloud instance for public file sharing that also contains entries with names related to cryptocurrency investment topics, which aligns with Lazarus’ targets and goals.

The few samples of RustyAttr apps Group-IB found all pass detection tests on Virus Total and the applications were signed using a leaked certificate, which Apple has since revoked, but were not notarized.

App certificate details
App certificate details
Source: Group-IB

Group-IB was not able to retrieve and analyze the next-stage malware but discovered that the staging server connects to a known endpoint in Lazarus infrastructure to attempt to fetch it.

Execution flow
Execution flow
Source: Group-IB

Experimenting with macOS evasion

The case reported by Group-IB is very similar to another recent report from SentinelLabs, which observed the North Korean threat actor BlueNoroff experimenting with similar yet distinct techniques for evasion in macOS.

BlueNoroff used cryptocurrency-themed phishing to lure targets to download a malicious app that was signed and notarized.

The apps used a modified ‘Info.plist’ file to stealthily trigger a malicious connection to the attacker-controlled domain from where the second-stage payload is retrieved.

It is unknown if the campaigns are related, but it is common for separate activity clusters to use the same information on how to effectively breach macOS systems without triggering alarms.

Related Articles:

North Korean hackers stole $1.3 billion worth of crypto this year

Radiant links $50 million crypto heist to North Korean hackers

North Korean hackers create Flutter apps to bypass macOS security

North Korean hackers use new macOS malware against crypto firms

US offers $5 million for info on North Korean IT worker farms