Lazarus Group Uses Extended Attributes for Code Smuggling in macOS
Summary:
According to a recent report by Group-IB, the Lazarus APT group has started attempting to smuggle code utilizing custom extended attributes, which are metadata associated with files and folders in various file systems. Extended attributes allow users to store additional information beyond standard metadata like file size, timestamps, and permissions. Based on Group-IB research, the most equivalent technique compared to this is from a Bundlore campaign from 2020 where the adware hid its payload within resource forks, a special part of older macOS system files. However, resource forks are deprecated in modern macOS and were replaced by application bundle structure and extended attributes. Group-IB has only encountered a few samples of this technique in the wild and is unable to conclusively determine any victim organizations from this incident as it is possible Lazarus is simply experimenting with methods that conceal code on macOS. Group-IB attributes this activity to Lazarus with moderate confidence.
This technique of smuggling code using extended attributes is a new technique yet to be added to the MITRE ATT&CK framework. In their analysis, Group-IB discovered a new trojan for macOS they have named RustyAttr, and was developed using the Tauri framework. It originally had a signed certificate but that certificate has been revoked. These trojan files are completely undetected on VirusTotal at the time of this discovery. The threat actor (TA) took a roundabout approach to trigger the execution, possibly aiming to make themselves less noticeable and harder to trace. Upon executing the application, the Tauri application attempts to render a HTML webpage using a WebView. The TA used some random template pulled off the internet. However, within these webpages, we observed that there was an additional suspicious javascript named “preload.js” loaded. Using get_application_properties provided by the application’s backend, it fetches the content from the extended attributes named “test” from the file and then passes it to run_command. This is where the shell script gets executed. The next stage was not available for download at the time of Group-IB’s research, but the staging server it connects to for fetching the next stage was identified as part of the Lazarus infrastructure back in May 2024.
Security Officer Comments:
This newly discovered technique of hiding code in extended attributes was able to bypass most AV software. However, to be effective, the TA must get the victims to disable macOS Gatekeeper via user interaction. macOS system protections hinder the attack’s success rate, meaning some degree of social engineering must be employed to compromise systems this way. However, if the adversary can find a way to bypass macOS Gatekeeper or get the fake application notarized by Apple and keep it unrevoked, future samples may have a much larger impact on US organizations. Lazarus continues to be a prominent threat to organizations worldwide, enhancing their arsenal with new tools and techniques to bypass defenses and remain undetected. Group-IB assesses that this tool and the techniques may be utilized for future attacks once Lazarus polishes its design and execution. Organizations should remain vigilant for new TTPs and malicious activity regarding the Lazarus APT group, as they are one of the most prominent and active threat groups.
Suggested Corrections:
IOCs, MITRE ATT&CK, and YARA Rules:
https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
https://www.infosecurity-magazine.com/news/lazarus-extended-attributes-macos/
https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
According to a recent report by Group-IB, the Lazarus APT group has started attempting to smuggle code utilizing custom extended attributes, which are metadata associated with files and folders in various file systems. Extended attributes allow users to store additional information beyond standard metadata like file size, timestamps, and permissions. Based on Group-IB research, the most equivalent technique compared to this is from a Bundlore campaign from 2020 where the adware hid its payload within resource forks, a special part of older macOS system files. However, resource forks are deprecated in modern macOS and were replaced by application bundle structure and extended attributes. Group-IB has only encountered a few samples of this technique in the wild and is unable to conclusively determine any victim organizations from this incident as it is possible Lazarus is simply experimenting with methods that conceal code on macOS. Group-IB attributes this activity to Lazarus with moderate confidence.
This technique of smuggling code using extended attributes is a new technique yet to be added to the MITRE ATT&CK framework. In their analysis, Group-IB discovered a new trojan for macOS they have named RustyAttr, and was developed using the Tauri framework. It originally had a signed certificate but that certificate has been revoked. These trojan files are completely undetected on VirusTotal at the time of this discovery. The threat actor (TA) took a roundabout approach to trigger the execution, possibly aiming to make themselves less noticeable and harder to trace. Upon executing the application, the Tauri application attempts to render a HTML webpage using a WebView. The TA used some random template pulled off the internet. However, within these webpages, we observed that there was an additional suspicious javascript named “preload.js” loaded. Using get_application_properties provided by the application’s backend, it fetches the content from the extended attributes named “test” from the file and then passes it to run_command. This is where the shell script gets executed. The next stage was not available for download at the time of Group-IB’s research, but the staging server it connects to for fetching the next stage was identified as part of the Lazarus infrastructure back in May 2024.
Security Officer Comments:
This newly discovered technique of hiding code in extended attributes was able to bypass most AV software. However, to be effective, the TA must get the victims to disable macOS Gatekeeper via user interaction. macOS system protections hinder the attack’s success rate, meaning some degree of social engineering must be employed to compromise systems this way. However, if the adversary can find a way to bypass macOS Gatekeeper or get the fake application notarized by Apple and keep it unrevoked, future samples may have a much larger impact on US organizations. Lazarus continues to be a prominent threat to organizations worldwide, enhancing their arsenal with new tools and techniques to bypass defenses and remain undetected. Group-IB assesses that this tool and the techniques may be utilized for future attacks once Lazarus polishes its design and execution. Organizations should remain vigilant for new TTPs and malicious activity regarding the Lazarus APT group, as they are one of the most prominent and active threat groups.
Suggested Corrections:
IOCs, MITRE ATT&CK, and YARA Rules:
https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
- Stay alert to any requests asking you to download, open, or execute files. Always verify the source and ensure it’s trustworthy before proceeding, in order to protect your device and data from potential threats.
- Do not disable macOS Gatekeeper or allow applications from unidentified developers. Keeping Gatekeeper enabled helps protect your system from potentially harmful software.
- Keeping your organization secure requires ongoing vigilance. Utilizing a proprietary solution can enhance your security posture by providing teams with advanced insights into emerging threats allowing you to identify potential risks sooner and implement defenses more proactively.
https://www.infosecurity-magazine.com/news/lazarus-extended-attributes-macos/
https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/