Cyber Security News

Lazarus Hackers Exploits macOS Extended Attributes To Evade Detection

The xattr command in Unix-like systems allows for the embedding of hidden metadata within files, similar to Windows ADS, known as Rustyattr, which is being exploited by threat actors like Lazarus Group to stealthily conceal malicious payloads within seemingly benign files.

The Lazarus Group is covertly embedding malicious data within system files using xattr, a technique that evades traditional detection methods and is currently not recognized by the MITRE ATT&CK Framework, leaving defenders vulnerable to these persistent attacks.

xattr provides a mechanism to store additional metadata, such as tags, flags, or binary data, alongside files on Unix-like systems, enabling flexible file management and organization beyond standard attributes.

macOS xattr, while useful for system metadata, can be exploited by attackers to conceal malicious data within files, potentially bypassing security measures and hindering detection efforts.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

creating a simple text file

A text file named `secret.txt` is created and filled with the content “not so secret.” Subsequently, the `xattr` command is employed to add a hidden attribute named `com.example.hidden_data` to the file, storing additional, concealed data within its extended attributes.

The `xattr secretfile.txt` command lists extended attributes associated with the specified file, while `xattr -p user.hidden_data secretfile.txt` reveals the hidden data stored within the ‘user.hidden_data’ attribute.

To view the hidden data stored in the extended attribute

The command `xattr -d com.example.hidden_data secret.txt` removes the extended attribute named “com.example.hidden_data” from the file “secret.txt,” which effectively eliminates the hidden data associated with the file.

The group has been exploiting macOS’s extended attributes (xattr) to conceal malicious code, evading detection by traditional security tools, which allows the group to maintain persistence on infected systems by hiding malicious payloads within file metadata. 

It’s RustyAttr trojan leverages macOS extended attributes for covert persistence, hiding malicious code from detection tools, which enables the group to maintain a stealthy presence on compromised systems, bypassing traditional security measures.

After extracting the zip file

By downloading a suspicious zip file (DD Form Questionnaire.zip), it contains a .docx and an .app file, while to investigate the .app file for hidden malicious code, it used the `xattr` command with the `-r` flag to recursively examine extended attributes within the application and any subdirectories.

Examining the app package with `xattr -r` revealed a custom attribute “test” containing a malicious script, which downloads a PDF, opens it, and fetches a second-stage payload from a remote server using AppleScript.  

The malicious domain, linked to a CERT-flagged IP address, confirms the involvement of the Lazarus Group, enabling further investigation into other malicious domains hosted on the same infrastructure. 

According to Denwp, the Lazarus Group leveraged the RustyAttr trojan to bypass macOS security measures, which, signed with a revoked certificate, exploits extended attributes to fetch and execute malicious scripts undetected, often disguised as legitimate applications, to deceive victims.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

1 hour ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

1 hour ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

1 hour ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

1 hour ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

1 day ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

1 day ago