Security researchers from Group-IB discovered a unique new piece of malware. Abuses the extended attributes of macOS files to deploy the payload. The malware was likely built by North Korean state-sponsored actors.
Cybersecurity researchers have stumbled upon another macOS malware variant likely built by North Korea’s notorious Lazarus group.
The Group-IB report concerns the discovery of RustyAttr, a new piece of macOS malware built using the Tauri framework.
The malware was not detected on VirusTotal and, at one point, was signed using a legitimate Apple developer ID. The ID has since been revoked.
Days earlier, Jamf researchers found something similar: a seemingly benign app on VirusTotal, built with Flutter, and acting as a backdoor for macOS victims.
In both cases, the malware used novel obfuscation methods but was not fully operational, leading researchers to believe they were simple experiments as criminals look for new ways to hide the infection.
RustyAttr was found abusing macOS extended attributes, researchers claim.
When the malware runs, it loads a website with a piece of JavaScript. This JavaScript, called preload.js, extracts content from “test”, which appears to be a location. This location is then sent to the ‘run_command’ function, where the shell script is executed.
While the process is in progress, the victim is tricked with a fake PDF file or a fake error message that appears in the foreground.
Researchers said RustyAttr was probably built by Lazarus, although as there are no reported victims, they can’t be absolutely sure. However, they are certain that the malware was built to test new delivery and obfuscation methods on macOS devices.
