RustyAttr Malware Exploits macOS Metadata in Cyber Threat

A newly identified malware called RustyAttr is targeting macOS systems by abusing extended attributes in files, marking a novel and sophisticated technique in the cyber threat landscape.

Researchers have tentatively linked this activity to the Lazarus Group, a North Korea-associated entity, due to similarities with previous campaigns like RustBucket.

Extended attributes are specialized metadata fields associated with files and directories, designed to store non-standard data like timestamps, permissions, and custom attributes. The attackers leverage these attributes to hide malicious content and deliver shell scripts that execute harmful operations.

The malware, built using the Tauri framework, includes decoy mechanisms to avoid detection. When executed, it either shows a misleading error message or displays a harmless PDF, such as documents on gaming project funding.

Researchers noted that the malware’s HTML-rendering capability uses a WebView to load a fake web page that incorporates malicious JavaScript. This script extracts the extended attribute content and executes it via a Rust-based backend.

Interestingly, the fake webpage is only displayed when extended attributes are missing, hinting at a fallback mechanism. To deploy the malware, the attackers used a leaked but now-revoked Apple certificate to sign the malicious applications.

The campaign’s ultimate objective remains unclear, as no further payloads or confirmed victims have been identified. However, the malware’s ability to bypass macOS Gatekeeper protections suggests that users must actively override security measures to trigger the attack.

This points to a reliance on social engineering tactics, where victims may be tricked into disabling safeguards under false pretenses.

This discovery aligns with broader trends in North Korean cyber activity, where attackers are increasingly targeting cryptocurrency businesses and engaging in elaborate schemes such as posing as remote job seekers or conducting fraudulent coding interviews to deploy malware.

To protect against threats like RustyAttr, macOS users should avoid disabling Gatekeeper or other built-in security features. Regularly updating macOS systems and certificates, alongside deploying advanced endpoint protection solutions, can further reduce exposure to such sophisticated threats.