News
Group-IB, Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes
November 2024 by Group-IB
Group-IB just published new findings about APT Lazarus, which has recently been observed to be experimenting with a novel method of smuggling malicious code using custom extended attributes (EAs) in Apple macOS file systems. Extended attributes, which store additional metadata beyond standard file information, offer a more covert way to conceal payloads compared to traditional file structures.
This technique is similar to the 2020 Bundlore adware campaign, which hid its payload in resource forks, a now-deprecated feature in macOS. While only a few samples have been detected and no confirmed victims identified, this indicates a potential shift in malware tactics, with Lazarus leveraging extended attributes to evade detection and possibly set the stage for a new trend in malware targeting macOS.
Key Discoveries:
Group-IB researchers have identified a new technique that has yet to be included in MITRE ATT&CK framework - Code smuggling using extended attributes.
Group-IB researchers discovered a new macOS trojan dubbed RustyAttr.
Trojans were developed using the Tauri framework, originally signed with a leaked certificate that was later revoked.
Files are fully undetected on VirusTotal.
