This devious new malware is going after macOS users with a whole barrel of tricks
Date:
Thu, 14 Nov 2024 21:02:00 +0000
Description:
North Korean hackers are apparently experimenting with extended attributes on macOS to hide malware.
FULL STORY ======================================================================Security
researchers from Group-IB discover unique new piece of malware It abuses extended attributes for macOS files to deploy the payload The malware is most likely built by North Korean state-sponsored actors
Cybersecurity researchers have stumbled upon yet another malware variant for macOS likely built by the notorious North Korean Lazarus group.
The report from Group-IB concerns the discovery of RustyAttr, a brand new piece of macOS malware built using the Tauri framework. T
he malware was not flagged on VirusTotal and was, at one point, signed using
a legitimate Apple developer ID. The ID has since been revoked. Extended attributes
Days before them, researchers from Jamf found something similar - a seemingly benign app on VirusTotal, built with Flutter, and serving as a backdoor for macOS victims.
In both cases, the malware used novel obfuscation methods, but wasnt fully operational, leading the researchers to believe that they were mere experiments, as crooks look for new ways to hide the infection.
RustyAttr was found abusing extended attributes for macOS, the researchers claim.
Extended attributes (xattrs) are a feature that allows files and directories to store additional metadata beyond standard attributes like name, size, and permissions. They are used for different things, from storing
security-related information, to tagging files with specific metadata, and enabling compatibility with other file systems. In this case, the EA name was test, and carries a shell script.
When the malware runs, it loads a website with a piece of JavaScript. This JavaScript - called preload.js, pulls content from test which seems to be a location. This location is then sent to the run_command function, where the shell script executes it.
While the process is ongoing, the victim is tricked with a decoy PDF file or
a fake error message that pops up in the foreground.
RustyAttr was most likely built by Lazarus, the researchers said, although since there are no reported victims, they cannot be absolutely certain. However, they are confident that the malware was built to test new delivery and obfuscation methods on macOS devices.
Via BleepingComputer You might also like D-Link routers are being hacked to steal customer passwords but it says there is no patch Here's a list of the best firewalls around today These are the best endpoint protection tools
right now
======================================================================
Link to news story:
https://www.techradar.com/pro/security/this-devious-new-malware-is-going-after -macos-users-with-a-whole-barrel-of-tricks
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)