Ethical Hacking News
Hackers have found a novel way to evade detection by exploiting macOS extended file attributes, hiding malicious code within custom file metadata. Researchers attribute this technique to the Lazarus Group, a well-known North Korean threat actor. This new approach is particularly effective against detection, making it essential for users to stay vigilant and keep their systems up-to-date with the latest security patches.
Hackers are using extended file attributes (EAs) on macOS to hide malicious code within custom file metadata.The Lazarus Group, a known North Korean threat actor, is behind this new malware delivery solution.The attackers use a custom EA name called "test" that holds a shell script, which executes when the application runs.The applications were signed using a leaked certificate, but not notarized, making detection harder for users.This technique is similar to what another North Korean threat actor, BlueNoroff, was experimenting with recently.The use of this technique suggests that hackers are getting better at evading security detection.Users should be vigilant and keep their systems up-to-date with the latest security patches, regularly back up important data, and use reputable antivirus software.
Hackers have once again found a novel way to evade detection by exploiting the security features of macOS. In this case, they're using extended file attributes (EAs) to hide malicious code within custom file metadata. This technique is reminiscent of how the Bundlore adware in 2020 hid its payloads in resource forks, but with a twist that makes it even more challenging for security agents to detect.
The threat actor behind this new malware delivery solution is attributed to the Lazarus Group, a well-known North Korean threat actor known for their sophisticated and targeted attacks. The researchers at cybersecurity company Group-IB discovered this technique in a few malware samples in the wild and have been analyzing it ever since.
According to the report, the attackers are using a custom EA name called "test" that holds a shell script. This script is loaded when the application runs and executes a JavaScript file called "preload.js". The preload.js file gets its content from the location indicated in the "test" EA and sends it to the "run_command" function, which in turn executes the shell script.
To keep user suspicion low during this process, some samples launch decoy PDF files or display error dialogs. These decoy PDFs are fetched from a pCloud instance that also contains entries related to cryptocurrency investment topics, aligning with Lazarus' targets and goals.
The applications themselves were signed using a leaked certificate, which Apple has since revoked, but they were not notarized. This lack of notarization makes it even harder for users to detect malicious activity within these apps.
What's interesting about this new technique is that it's similar to what the North Korean threat actor BlueNoroff was experimenting with recently. However, their approach involved using cryptocurrency-themed phishing to lure targets into downloading a malicious app signed and notarized. It remains to be seen if there's any connection between these two attacks.
The use of macOS evasion techniques by Lazarus Group is not new, but this latest method is particularly effective against detection. According to the researchers at Group-IB, none of the security agents on the Virus Total platform flagged the malicious files. This suggests that hackers are getting better and more innovative in their ways of evading security.
As with any malware delivery technique, it's essential for users to be vigilant and keep their systems up-to-date with the latest security patches. Regularly backing up important data and using reputable antivirus software can also help mitigate the risk of falling victim to these types of attacks.
In conclusion, Lazarus Group has once again demonstrated their ability to adapt and evolve in their malware delivery techniques. This new approach highlights the importance of staying vigilant against emerging threats and keeping our systems secure.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-use-macos-extended-file-attributes-to-hide-malicious-code/
https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/
https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-new-macos-malware-against-crypto-firms/
Published: Thu Nov 14 11:36:51 2024 by llama3.2 3B Q4_K_M
