Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes
Contents
Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes
The simple way of stealth, if it works, it works.
In this blog, we examine a fresh take on techniques regarding concealing codes in Extended Attributes in order to evade detection in macOS systems. This is a new technique that has yet to be included in the MITRE ATT&CK framework.
November 13, 2024 · 8 min to read · Advanced Persistent Threats
APT
Extended Attributes
Lazarus
macOS
Rust
xattr
Introduction
APT Lazarus has begun attempting to smuggle code using custom extended attributes.
Extended attributes are metadata that can be associated with files and directories in various file systems. They allow users to store additional information about a file beyond the standard attributes like file size, timestamps, and permissions.
While researching malware abusing extended attributes, the most similar technique found was one back in 2020, where Bundlore adware hid its payload in resource forks, and accessed via the special path `filename/..namedfork/rsrc`. A resource fork …
The simple way of stealth, if it works, it works.
In this blog, we examine a fresh take on techniques regarding concealing codes in Extended Attributes in order to evade detection in macOS systems. This is a new technique that has yet to be included in the MITRE ATT&CK framework.
November 13, 2024 · 8 min to read · Advanced Persistent Threats
APT
Extended Attributes
Lazarus
macOS
Rust
xattr
Introduction
APT Lazarus has begun attempting to smuggle code using custom extended attributes.
Extended attributes are metadata that can be associated with files and directories in various file systems. They allow users to store additional information about a file beyond the standard attributes like file size, timestamps, and permissions.
While researching malware abusing extended attributes, the most similar technique found was one back in 2020, where Bundlore adware hid its payload in resource forks, and accessed via the special path `filename/..namedfork/rsrc`. A resource fork …
IoC
022344029b8bf951ba02b11025fe26c99193cb7c8a482c33862c9bbaa5e5528e
104.168.157.45
104.168.165.203
176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d
48ee5d0d44a015876d867fa515b04c1998fecf19badcbd69f4f3fa8497d57215
4bce97eff4430708299a1bb4142b9d359d8adf77a2e1673bf76485df25e6d357
7464850d7d6891418c503d0e1732812d7703d6c1fd5cf3c821f3c202786f9422
878e3701df9b0abdaa7094e22d067c8398a9fc842cabe917fd5f75f2c84d8552
9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2
a4cab67569d0b35c249dc536fb25dabdc12839ed4e945c59ec826c0a241b792a
e87177e07ab9651b48664c3d22334248e012e8a2bab02f65c93fedd79af0a74f
f3e6e8df132155daf1d428dff61f0ca53ecd02015a0a0bbe1ad237519ab3cb58
[email protected]
http://104.168.157.45
http://104.168.165.203
http://filedn.com
http://support.cloudstore.business
http://support.docsend.site
https://filedn.com/lY24cv0IfefboNEIN0I9gqR
https://filedn.com/lY24cv0IfefboNEIN0I9gqR/dragonfly/Discussion%20Points%20for%20Synergy%20Exploration_Over.pdf
https://support.cloudstore.business/256977/check
https://support.docsend.site/519529/check
rule rustyattr
{
meta:
author = "Sharmine Low"
company = "Group-IB"
family = "rustyattr"
description = "Detects rust binary of rustyattr"
severity = 9
date = "2024-10-30"
sample = "176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d"
strings:
$s1 = "run_command"
$s2 = "get_application_properties"
$s3 = "get_application_path"
$s4 = "close_main_window"
$s5 = "show_main_window"
$r1 = "window.__TAURI__."
condition:
all of ($s*) and $r1
}
104.168.157.45
104.168.165.203
176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d
48ee5d0d44a015876d867fa515b04c1998fecf19badcbd69f4f3fa8497d57215
4bce97eff4430708299a1bb4142b9d359d8adf77a2e1673bf76485df25e6d357
7464850d7d6891418c503d0e1732812d7703d6c1fd5cf3c821f3c202786f9422
878e3701df9b0abdaa7094e22d067c8398a9fc842cabe917fd5f75f2c84d8552
9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2
a4cab67569d0b35c249dc536fb25dabdc12839ed4e945c59ec826c0a241b792a
e87177e07ab9651b48664c3d22334248e012e8a2bab02f65c93fedd79af0a74f
f3e6e8df132155daf1d428dff61f0ca53ecd02015a0a0bbe1ad237519ab3cb58
[email protected]
http://104.168.157.45
http://104.168.165.203
http://filedn.com
http://support.cloudstore.business
http://support.docsend.site
https://filedn.com/lY24cv0IfefboNEIN0I9gqR
https://filedn.com/lY24cv0IfefboNEIN0I9gqR/dragonfly/Discussion%20Points%20for%20Synergy%20Exploration_Over.pdf
https://support.cloudstore.business/256977/check
https://support.docsend.site/519529/check
rule rustyattr
{
meta:
author = "Sharmine Low"
company = "Group-IB"
family = "rustyattr"
description = "Detects rust binary of rustyattr"
severity = 9
date = "2024-10-30"
sample = "176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d"
strings:
$s1 = "run_command"
$s2 = "get_application_properties"
$s3 = "get_application_path"
$s4 = "close_main_window"
$s5 = "show_main_window"
$r1 = "window.__TAURI__."
condition:
all of ($s*) and $r1
}