The RustyAttr macOS trojan employs code smuggling by leveraging extended attributes, a novel technique not yet recognized by the MITRE ATT&CK framework, which allows malicious code to be concealed within file metadata, evading traditional security measures.
APT Lazarus has released Trojan malware, built with the Tauri framework and leveraging a revoked certificate, which is currently undetected by VirusTotal and is linked to the group with moderate confidence.
The threat actor has maliciously used extended attributes, specifically a custom type “test,” to store and retrieve hidden data or configurations within files and directories, bypassing standard file system inspection methods.
Tauri-based applications, disguised as legitimate tools, are being used to distribute malware, which fetches and executes malicious scripts hidden in extended attributes while displaying deceptive PDF questionnaires or error messages to mask their malicious activity.
A threat actor triggered the attack by embedding malicious JavaScript code within a seemingly innocuous web template, which leveraged Tauri’s foreign function interface to execute Rust functions, granting the attacker unauthorized system access and control.
The script retrieves the “test” attribute from the file using the backend’s `get_application_properties` method, and if the attribute is found, a shell script is executed without user interaction; otherwise, a fake webpage is displayed.
The provided interface commands allow a frontend to interact with the backend by fetching application paths, retrieving extended attribute content, executing scripts or commands, displaying a webview, and terminating all Tauri processes.
While the analyzed files, while currently undetected by VirusTotal due to obfuscation, were likely signed with a revoked Apple certificate and are unnotarized, which prevents their direct execution on macOS, mitigating potential harm.
Lazarus APT used a compromised pCloud account to host malicious PDFs and a RustBucket dropper ( disguised as a PDF viewer) for a cryptocurrency-themed attack. The next stage payload was fetched from Lazarus infrastructure identified in May 2024.
Group-IB analyzed a folder containing financial documents (PDFs) and archives (ZIP) but found no confirmed malware or Lazarus attribution despite the “Dedicated Pdf Viewer.zip” filename.
The group’s new technique hides malicious code in extended attributes, bypassing most antivirus and exploiting macOS vulnerabilities. While current macOS protections mitigate some risks, future attacks with signed, notarized, and obfuscated payloads pose a significant threat.
To ensure device and data security, verify the source of any file download or execution requests, maintain macOS Gatekeeper to prevent unauthorized software installations, and proactively enhance security posture by leveraging threat intelligence solutions to identify and mitigate emerging risks.