One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8611812 |
| Date de publication | 2024-11-15 15:40:32 (vue: 2024-11-15 16:08:33) |
| Titre | Hackers use macOS extended file attributes to hide malicious code |
| Texte | ## Snapshot
Researchers at Group-IB have identified a new trojan targeting macOS, dubbed RustyAttr, that leverages extended attributes (EAs) in macOS files to conceal malicious code.
## Description
EA is meta data associated with files and directories in different file systems. This code smuggling is reminiscent of the [Bundlore adware approach in 2020](https://security.microsoft.com/intel-explorer/articles/71a3eed3), which also targeted macOS by hiding payloads in resource forks. Resource forks were mostly deprecated and replaced by the application bundle structure and EA. The RustyAttr malware uses the Tauri framework to build malicious apps that execute a shell script stored within an EA named \'test.\' Tauri creates lightweight desktop apps with a web frontend (HTML, CSS, JavaScript) and a Rust backend. These apps run a JavaScript that retrieves the shell script from the \'test\' EA and executes it. Some samples simultaneously launch decoy PDFs or error dialogs to distract the user. The decoy PDFs, and one of the malicious application bundles, were sourced from a pCloud instance containing cryptocurrency-related content. The applications were likely signed with a leaked certificate that Apple has since revoked. MacOS Gatekeeper currently blocks these applications from running unless the user actively chooses to override these malware protections.
Although Group-IB couldn\'t analyze the next-stage malware, they found that the staging server connects to a known North Korean threat actor group Lazarus\' (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) infrastructure endpoint. Group-IB researchers suggest that Lazarus is trying out new ways to deliver malware. This discovery comes alongside a similar [report from SentinelLabs](https://security.microsoft.com/intel-explorer/articles/aea544a9) about the North Korean threat actor BlueNoroff (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which has been using related evasion techniques on macOS, including cryptocurrency-themed phishing and modified \'Info.plist\' files to retrieve second-stage payloads. It remains unclear if the RustyAttr and BlueNoroff campaigns are connected, but it highlights a trend of North Korean hackers focusing on macOS systems for their operations.
## Recommendations
Group-IB recommends keeping macOS Gatekeeper enabled to protect your system from harmful software.
Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat.
• Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
• Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
• Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
• To learn more about preventing trojans or other malware from affecting individual devices, [read about preventing malware infection](https://www.microsoft.com/security/business/security-101/what-is-malware).
## References
[Hackers use macOS extended file attributes to hide malicious code](https://www.bleepingcomputer.com/news/security/hackers-use-macos-extended-file-attributes-to-hide-malicious-code/). Bleeping Computer (accessed 2024-11-14)
[Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/). Group-IB (accessed 2024-11-14)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Researchers at Group-IB have ide |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 101/what 2020 2024 2024** about access accessed accessibility actively actor additionally ads adware affecting all alongside also although analyze any app apple application applications approach apps apt are associated attributes backend been bleeping bleepingcomputer blocks bluenoroff build bundle bundles bundlore but campaigns certificate chooses click code code/ com/blog/stealthy com/intel com/news/security/hackers com/security/business/security comes computer conceal connected connects containing content copyright couldn creates cryptocurrency css currently data decoy deliver deprecated description desktop detection devices dialogs diamond different directories discovery distract distribution dubbed eas emails enabled endpoint error evading evasion execute executes explorer/articles/71a3eed3 explorer/articles/aea544a9 extended file files focusing following forks found framework from frontend gatekeeper google granting group hackers harmful has have hide hiding highlights html https://security https://www identified impact including individual infection info infrastructure install instance javascript keeping known korean launch lazarus lazarus/ lazarus: leaked learn leverages lightweight like likely links listener macos malicious malware messages meta microsoft mitigations modified more mostly named needs new next north notification official one operations other out override part payloads pcloud pdfs permission permissions phishing play plist preventing profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1 profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5 prohibited protect protections read received recommendations recommends reduce references related remains reminiscent replaced report reproduction researchers reserved resource retrieve retrieves revoked rights run running rust rustyattr samples sapphire script second sentinellabs server shell signed similar simultaneously since site sleet sms smuggling snapshot software some sourced sources stage staging stealthy store stored stores strong structure suggest system systems targeted targeting tauri techniques test themed thereof these threat through tracked trend trojan trojans trusted trying unclear understanding unknown unless untrusted use user uses using ways web which why within without written your avoid never only to |
| Tags | Malware Threat Prediction |
| Stories | APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.