| Category | Details |
|---|---|
| Threat Actors | APT Lazarus |
| Campaign Overview | New technique for code smuggling using custom extended attributes (EAs) in macOS files. RustyAttr is a macOS trojan developed with the Tauri framework. |
| Target Regions (Victims) | Not definitively confirmed; research shows a potential target group but no specific victims identified yet. |
| Methodology | The trojan uses EAs to store and execute malicious scripts. The attack involves fetching and running scripts from EAs using Tauri applications. |
| Product Targeted | macOS systems |
| Malware Reference | RustyAttr trojan |
| Tools Used | Tauri framework (for application development); xattr (for extracting EAs); shell scripts and decoys; WebView for rendering HTML with malicious JavaScript. |
| Vulnerabilities Exploited | Custom extended attributes (EAs) used for code smuggling; no direct exploitation of known vulnerabilities reported. |
| TTPs | - Custom EAs for smuggling code - Fake decoys (PDFs, dialogs) - WebView for loading malicious JavaScript - Tauri framework’s Rust backend used for system access |
| Attribution | Moderate confidence attribution to APT Lazarus |
| Recommendations | - Monitor EAs for suspicious attributes - Analyze WebView usage and JavaScript in Tauri-based apps - Use endpoint protection that scans extended attributes |
| Source | Group-IB |
Read full article : https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply