A new and clever malware targets macOS users using multiple tricks.

Cybersecurity researchers have identified a new variant of malware designed for the macOS operating system, which is believed to have been developed by the Lazarus group, linked to the North Korean state. This new malware, named RustyAttr, is built using the Tauri framework and is characterized by having evaded detections on VirusTotal. Originally, the application had a legitimate Apple developer signature that has since been revoked.

A few days prior to this discovery, researchers at Jamf had found an apparently innocuous application, also listed on VirusTotal, built with Flutter. However, this application acted as a backdoor for macOS victims. In both cases, the malware exhibits novel obfuscation methods, although experts believe they were not fully operational, suggesting these could be test attempts to explore new infection concealment tactics.

RustyAttr takes advantage of extended attributes in macOS, a feature that allows files and directories to store additional metadata beyond standard attributes like name, size, and permissions. These attributes can be used for various functions, including storing security-related information and tagging files with specific metadata.

When executed, this malware loads a website via a JavaScript script called preload.js, which extracts content from the "test" attribute, which acts as a location. This address is sent to the 'run_command' function, where the shell script is executed. While this process is taking place, the victim is deceived by a fake PDF file or an error message that appears in the foreground.

While researchers suspect that RustyAttr was created by Lazarus, there have yet to be any reported victims, which prevents absolute certainty in this regard. However, experts are confident that this malware was designed to test new delivery and obfuscation methods on macOS devices.