Lazarus Group Uses New RustyAttr Malware for Extended Attribute Abuse to Target macOS – Active IOCs
Contents
Multiple Adobe Products Vulnerabilities
November 14, 2024Bitter APT – Active IOCs
November 15, 2024Multiple Adobe Products Vulnerabilities
November 14, 2024Bitter APT – Active IOCs
November 15, 2024Severity
High
Analysis Summary
Threat actors have been discovered using a novel method to smuggle a new malware known as RustyAttr by abusing extended attributes for macOS files. Citing tactical and infrastructure commonalities seen concerning previous campaigns, such as RustBucket, the researchers have linked the new activity with a moderate degree of confidence to the notorious Lazarus Group, which is associated with North Korea.
Extended attributes are extra metadata linked to files and directories that can be retrieved with the help of a specific command known as xattr. They are frequently used to hold data like file size, timestamps, and permissions that are not included in the normal attributes. The malicious programs found by researchers are constructed using Tauri, a cross-platform desktop application framework, and signed with a leaked certificate that has …
November 14, 2024Bitter APT – Active IOCs
November 15, 2024Multiple Adobe Products Vulnerabilities
November 14, 2024Bitter APT – Active IOCs
November 15, 2024Severity
High
Analysis Summary
Threat actors have been discovered using a novel method to smuggle a new malware known as RustyAttr by abusing extended attributes for macOS files. Citing tactical and infrastructure commonalities seen concerning previous campaigns, such as RustBucket, the researchers have linked the new activity with a moderate degree of confidence to the notorious Lazarus Group, which is associated with North Korea.
Extended attributes are extra metadata linked to files and directories that can be retrieved with the help of a specific command known as xattr. They are frequently used to hold data like file size, timestamps, and permissions that are not included in the normal attributes. The malicious programs found by researchers are constructed using Tauri, a cross-platform desktop application framework, and signed with a leaked certificate that has …
IoC
5e38363e7c196a3627dc10a8292bb72473599c2e
a489b72510dfd07e6d05b07e8547cf25
9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2
c91f346d077efbcf45e53e4876b6b23f1e241db4
104.168.165.203
3d14dd06d85f513dfa96d875fdcc0298
9edbd2f21b81183770fd767b31c2458c
1602cc32d56ab7f7d70c508696134875a0a56000
0cbc6df98ce1d302f51714e100560a4d
22a477da55c7391dd0fc6176241d108e
48ee5d0d44a015876d867fa515b04c1998fecf19badcbd69f4f3fa8497d57215
60be225d1a90070d22bf2abcc740d311041cb432
2efdf82808cd7f63ebc66f553ae94127c3d7c60b
e9519f91c7acfe68e614fc6d3416033334b1b68c
104.168.157.45
3439de0b221320f58e3432c2672c4074
176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d
022344029b8bf951ba02b11025fe26c99193cb7c8a482c33862c9bbaa5e5528e
a26c2442743d234ccd3b0d104e13a798
4bce97eff4430708299a1bb4142b9d359d8adf77a2e1673bf76485df25e6d357
7464850d7d6891418c503d0e1732812d7703d6c1fd5cf3c821f3c202786f9422
f3e6e8df132155daf1d428dff61f0ca53ecd02015a0a0bbe1ad237519ab3cb58
https://filedn.com/lY24cv0IfefboNEIN0I9gqR
d8508b3c7ba4f2b9ed1cf3ff28fd6b83
e87177e07ab9651b48664c3d22334248e012e8a2bab02f65c93fedd79af0a74f
78027c3800ff58321371a28b1e2a6d7e870add60
8380d7451f9c4477dd2e8c7c0ba46471bfc6dc27
53b68b9304a0462761917608ca4e60e7
4a93fe1e7fce91f3c3d99c733d9628ed952dbf2a
a4cab67569d0b35c249dc536fb25dabdc12839ed4e945c59ec826c0a241b792a
878e3701df9b0abdaa7094e22d067c8398a9fc842cabe917fd5f75f2c84d8552
afefb97605354c96d07d6e24a87798dd5891b583
959e71b8f743a202eb80b65acbb60f7c
a489b72510dfd07e6d05b07e8547cf25
9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2
c91f346d077efbcf45e53e4876b6b23f1e241db4
104.168.165.203
3d14dd06d85f513dfa96d875fdcc0298
9edbd2f21b81183770fd767b31c2458c
1602cc32d56ab7f7d70c508696134875a0a56000
0cbc6df98ce1d302f51714e100560a4d
22a477da55c7391dd0fc6176241d108e
48ee5d0d44a015876d867fa515b04c1998fecf19badcbd69f4f3fa8497d57215
60be225d1a90070d22bf2abcc740d311041cb432
2efdf82808cd7f63ebc66f553ae94127c3d7c60b
e9519f91c7acfe68e614fc6d3416033334b1b68c
104.168.157.45
3439de0b221320f58e3432c2672c4074
176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d
022344029b8bf951ba02b11025fe26c99193cb7c8a482c33862c9bbaa5e5528e
a26c2442743d234ccd3b0d104e13a798
4bce97eff4430708299a1bb4142b9d359d8adf77a2e1673bf76485df25e6d357
7464850d7d6891418c503d0e1732812d7703d6c1fd5cf3c821f3c202786f9422
f3e6e8df132155daf1d428dff61f0ca53ecd02015a0a0bbe1ad237519ab3cb58
https://filedn.com/lY24cv0IfefboNEIN0I9gqR
d8508b3c7ba4f2b9ed1cf3ff28fd6b83
e87177e07ab9651b48664c3d22334248e012e8a2bab02f65c93fedd79af0a74f
78027c3800ff58321371a28b1e2a6d7e870add60
8380d7451f9c4477dd2e8c7c0ba46471bfc6dc27
53b68b9304a0462761917608ca4e60e7
4a93fe1e7fce91f3c3d99c733d9628ed952dbf2a
a4cab67569d0b35c249dc536fb25dabdc12839ed4e945c59ec826c0a241b792a
878e3701df9b0abdaa7094e22d067c8398a9fc842cabe917fd5f75f2c84d8552
afefb97605354c96d07d6e24a87798dd5891b583
959e71b8f743a202eb80b65acbb60f7c