Thursday, December 12, 2024
HomeCyber Security NewsLazarus Hackers Exploits macOS Extended Attributes To Evade Detection

Lazarus Hackers Exploits macOS Extended Attributes To Evade Detection

Published on

SIEM as a Service

The xattr command in Unix-like systems allows for the embedding of hidden metadata within files, similar to Windows ADS, known as Rustyattr, which is being exploited by threat actors like Lazarus Group to stealthily conceal malicious payloads within seemingly benign files.

The Lazarus Group is covertly embedding malicious data within system files using xattr, a technique that evades traditional detection methods and is currently not recognized by the MITRE ATT&CK Framework, leaving defenders vulnerable to these persistent attacks.

xattr provides a mechanism to store additional metadata, such as tags, flags, or binary data, alongside files on Unix-like systems, enabling flexible file management and organization beyond standard attributes.

- Advertisement - SIEM as a Service

macOS xattr, while useful for system metadata, can be exploited by attackers to conceal malicious data within files, potentially bypassing security measures and hindering detection efforts.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

 creating a simple text file

A text file named `secret.txt` is created and filled with the content “not so secret.” Subsequently, the `xattr` command is employed to add a hidden attribute named `com.example.hidden_data` to the file, storing additional, concealed data within its extended attributes.

The `xattr secretfile.txt` command lists extended attributes associated with the specified file, while `xattr -p user.hidden_data secretfile.txt` reveals the hidden data stored within the ‘user.hidden_data’ attribute.

To view the hidden data stored in the extended attribute

The command `xattr -d com.example.hidden_data secret.txt` removes the extended attribute named “com.example.hidden_data” from the file “secret.txt,” which effectively eliminates the hidden data associated with the file.

The group has been exploiting macOS’s extended attributes (xattr) to conceal malicious code, evading detection by traditional security tools, which allows the group to maintain persistence on infected systems by hiding malicious payloads within file metadata. 

It’s RustyAttr trojan leverages macOS extended attributes for covert persistence, hiding malicious code from detection tools, which enables the group to maintain a stealthy presence on compromised systems, bypassing traditional security measures.

After extracting the zip file

By downloading a suspicious zip file (DD Form Questionnaire.zip), it contains a .docx and an .app file, while to investigate the .app file for hidden malicious code, it used the `xattr` command with the `-r` flag to recursively examine extended attributes within the application and any subdirectories.

Examining the app package with `xattr -r` revealed a custom attribute “test” containing a malicious script, which downloads a PDF, opens it, and fetches a second-stage payload from a remote server using AppleScript.  

The malicious domain, linked to a CERT-flagged IP address, confirms the involvement of the Lazarus Group, enabling further investigation into other malicious domains hosted on the same infrastructure. 

According to Denwp, the Lazarus Group leveraged the RustyAttr trojan to bypass macOS security measures, which, signed with a revoked certificate, exploits extended attributes to fetch and execute malicious scripts undetected, often disguised as legitimate applications, to deceive victims.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

ConvoC2 – A Red Teamers Tool To Execute Commands on Hacked Hosts Via Microsoft Teams

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers...

Cleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in...

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and...

BadRAM Attack Breaches AMD Secure VMs with $10 Device

Researchers have uncovered a vulnerability that allows attackers to compromise AMD's Secure Encrypted Virtualization...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

ConvoC2 – A Red Teamers Tool To Execute Commands on Hacked Hosts Via Microsoft Teams

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers...

Cleo 0-day Vulnerability Exploited to Deploy Malichus Malware

Cybersecurity researchers have uncovered a sophisticated exploitation campaign involving a zero-day (0-day) vulnerability in...

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and...