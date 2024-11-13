Group-IB, Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes

November 2024 by Group-IB

Group-IB just published new findings about APT Lazarus, which has recently been observed to be experimenting with a novel method of smuggling malicious code using custom extended attributes (EAs) in Apple macOS file systems. Extended attributes, which store additional metadata beyond standard file information, offer a more covert way to conceal payloads compared to traditional file structures.

This technique is similar to the 2020 Bundlore adware campaign, which hid its payload in resource forks, a now-deprecated feature in macOS. While only a few samples have been detected and no confirmed victims identified, this indicates a potential shift in malware tactics, with Lazarus leveraging extended attributes to evade detection and possibly set the stage for a new trend in malware targeting macOS.

Key Discoveries:

Group-IB researchers have identified a new technique that has yet to be included in MITRE ATT&CK framework - Code smuggling using extended attributes.

Group-IB researchers discovered a new macOS trojan dubbed RustyAttr.

Trojans were developed using the Tauri framework, originally signed with a leaked certificate that was later revoked.

Files are fully undetected on VirusTotal.