Hackers are using a novel technique that abuses extended attributes for macOS files to deliver a new trojan that researchers call RustyAttr. The

Hackers use macOS extended file attributes to hide malicious code

submited by
Style Pass
2024-11-16 04:00:04

Hackers are using a novel technique that abuses extended attributes for macOS files to deliver a new trojan that researchers call RustyAttr.

The new technique is similar to how the Bundlore adware in 2020 hid its payloads in resource forks to hide payloads for macOS. It was discovered in a few malware samples in the wild by researchers at cybersecurity company Group-IB.

Based on their analysis and because they could not confirm any victims, the researchers attribute the samples to the North Korean threat actor Lazarus with moderate confidence. They believe that the attacker may be experimenting with a new malware delivery solution.

The method is uncommon and proved to be efficient against detection, as none of the security agents on the Virus Total platform flagged the malicious files. 

macOS extended attributes (EAs) represent hidden metadata typically associated with files and directories, that is not directly visible with Finder or the terminal but can be extracted using the 'xattr' command for showing, editing, or removing extended attributes.

Leave a Comment