RustyAttr: New macOS Trojan Hides in File Metadata, Evading Antivirus

Group-IB specialists have uncovered a novel method for disseminating a macOS trojan named RustyAttr. Hackers are leveraging extended file attributes, concealing malicious code within metadata, and employing decoy PDF documents to evade security systems.

The essence of this technique lies in embedding the malicious code within macOS file extended attributes. These metadata are typically invisible to users and do not appear in Finder or Terminal. They can only be viewed and modified using the “xattr” command. In RustyAttr’s case, a hidden attribute called “test” contains a shell script.

The malicious applications employing this technique are built using the Tauri framework, which integrates a web frontend (HTML, JavaScript) with a Rust-based backend. When launched, such applications load a web page where the JavaScript file “preload.js” extracts and executes the code from the hidden attribute.

To avoid arousing suspicion, hackers use decoy PDF files or display error messages. These PDFs are downloaded from the pCloud service and often bear names related to cryptocurrency investments, aligning with the Lazarus group’s typical targets. Group-IB experts believe that Lazarus may be behind this attack, though no definitive confirmation has been established. Researchers suggest that the attackers are currently testing a new malware distribution method.

This approach has proven effective at bypassing antivirus solutions—none of the analyzers on the Virus Total platform identified the malicious files. The programs were signed with a compromised certificate, which Apple has since revoked, yet they were not notarized.

At present, researchers have been unable to retrieve and analyze the next stage of the malicious payload, but they identified a link to a familiar domain used within Lazarus’s infrastructure for malware delivery.

A similar tactic was previously employed by another North Korean group, BlueNoroff, which used cryptocurrency-themed phishing to lure users into installing malicious applications. These programs were also signed but utilized a different evasion technique. Although it remains uncertain if these attacks are interconnected, experts suspect that hackers may be sharing effective macOS evasion methods.

Currently, macOS’s built-in security tools, such as Gatekeeper, block the execution of these applications unless users have disabled the protection. However, if users disable Gatekeeper, it allows attackers to bypass the system’s security. Lazarus may further refine its techniques, preparing new versions of attacks with signed and notarized applications to circumvent macOS defenses.