A new technique of the Lazarus Advanced Persistente Threat (APT) group has been used by the threat actor to smuggle malicious code to macOS systems, using adapted extensive attributes.
This innovative method, observed by Group-IB, bypasses traditional security measures, so that malicious code can remain hidden and unnoticed.
Extensive attributes, which are often used to store extra file metadata, are now used by Lazarus to hide and perform malware on targeted systems.
Evolution of malware valling
The recent malwar monsters of the group suggest that they are experimenting with extensive attributes to prevent detection, just like an earlier technique used in 2020, where Bundlore Adware hid the payload in Resource -forken. The new approach from Lazarus, however, uses extensive attributes, which are more versatile in modern macOS systems.
Under the malware discovered by Lazarus, ‘Rustyattr’, a Trojan was made with the Tauri framework. Tauri enables developers to build applications that combine a web -flattering with a rust backend that has the potential to secretly walk on macOS.
By hiding malicious code within extensive attributes and then carrying out with the help of the built-in interface assignments from Tauri, Lazarus bypasses many antivirus protection. In particular, this malware goes completely unnoticed on Virustotal.
Read more about macOS malware: Cthulhu Stealer Malware focuses on macOS with misleading tactics
Misleading tactics and distraction of users
The research also showed that the malware from Lazarus includes different decoy elements, such as PDFs with regard to project development or cryptocurrency, and fake syndy lights.
The Lokvogels are intended to mislead users, while the malware performs in the background and extra malignant scripts from Command-and-Control (C2) servers that have been linked to Lazarus since 2024.
The most important findings from the analysis of Group-IB include:
-
Code smuggling using extensive attributes, a technique that has not yet been cataloged in the Miter ATT & CK -Framework
-
The discovery of Rustyattr, a macOS -Trojan built with the Tauri Framework
-
The use of fake -lock birds and dialogues to distract users while malignant scripts are performed
-
A moderate level of reliability when attributing this activity to Lazarus, because no direct victims were identified
At present, the Gatekeeper of Apple does not prevent -Subjected or Non -Genotarized Applications. However, if victims overwrite this protection, they can unconsciously use the malware of Lazarus to implement.
Cyber security experts urged users to stay careful when they are asked to download files from unknown sources and to keep gatekeeper protection, because eliminating these macOS systems can make it vulnerable to such attacks.
Image Credit: Denphotos / Shutterstock.com