Lazarus Hackers Exploits macOS Extended Attributes To Evade Detection

The xattr command in Unix-like systems allows for the embedding of hidden metadata within files, similar to Windows ADS, known as Rustyattr, which is being exploited by threat actors like Lazarus Group to stealthily conceal malicious payloads within seemingly benign files.

The Lazarus Group is covertly embedding malicious data within system files using xattr, a technique that evades traditional detection methods and is currently not recognized by the MITRE ATT&CK Framework, leaving defenders vulnerable to these persistent attacks.

xattr provides a mechanism to store additional metadata, such as tags, flags, or binary data, alongside files on Unix-like systems, enabling flexible file management and organization beyond standard attributes.

macOS xattr, while useful for system metadata, can be exploited by attackers to conceal malicious data within files, potentially bypassing security measures and hindering detection efforts.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

A text file named `secret.txt` is created and filled with the content “not so secret.” Subsequently, the `xattr` command is employed to add a hidden attribute named `com.example.hidden_data` to the file, storing additional, concealed data within its extended attributes.

The `xattr secretfile.txt` command lists extended attributes associated with the specified file, while `xattr -p user.hidden_data secretfile.txt` reveals the hidden data stored within the ‘user.hidden_data’ attribute.

The command `xattr -d com.example.hidden_data secret.txt` removes the extended attribute named “com.example.hidden_data” from the file “secret.txt,” which effectively eliminates the hidden data associated with the file.

The group has been exploiting macOS’s extended attributes (xattr) to conceal malicious code, evading detection by traditional security tools, which allows the group to maintain persistence on infected systems by hiding malicious payloads within file metadata. 

It’s RustyAttr trojan leverages macOS extended attributes for covert persistence, hiding malicious code from detection tools, which enables the group to maintain a stealthy presence on compromised systems, bypassing traditional security measures.

By downloading a suspicious zip file (DD Form Questionnaire.zip), it contains a .docx and an .app file, while to investigate the .app file for hidden malicious code, it used the `xattr` command with the `-r` flag to recursively examine extended attributes within the application and any subdirectories.

Examining the app package with `xattr -r` revealed a custom attribute “test” containing a malicious script, which downloads a PDF, opens it, and fetches a second-stage payload from a remote server using AppleScript.  

The malicious domain, linked to a CERT-flagged IP address, confirms the involvement of the Lazarus Group, enabling further investigation into other malicious domains hosted on the same infrastructure. 

According to Denwp, the Lazarus Group leveraged the RustyAttr trojan to bypass macOS security measures, which, signed with a revoked certificate, exploits extended attributes to fetch and execute malicious scripts undetected, often disguised as legitimate applications, to deceive victims.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar