Stealthy Attributes Of APT Lazarus | Group-IB Blog

You Should Know:

MacOS Extended Attributes (xattrs) are a powerful feature that allows users to attach metadata to files. However, they can also be exploited by threat actors, as demonstrated by the APT Lazarus group. Below are some practical commands and steps to inspect and manage extended attributes on macOS and Linux systems:

Inspecting Extended Attributes

1. List Extended Attributes:

To view extended attributes on a file, use the following command:

xattr -l <filename>

Example:

xattr -l document.pdf

2. Remove Extended Attributes:

If you find suspicious attributes, you can remove them using:

xattr -c <filename>

Example:

xattr -c document.pdf

Analyzing Suspicious Files

1. Check for Malicious Commands:

Use `strings` to extract readable text from a binary file:

strings <filename> | grep -i "curl|wget|bash"

Example:

strings document.pdf | grep -i "curl|wget|bash"

2. Monitor File Activity:

Use `fs_usage` on macOS to monitor file system activity in real-time:

sudo fs_usage -w | grep <filename>

Example:

sudo fs_usage -w | grep document.pdf

Linux Commands for Extended Attributes

1. View Extended Attributes on Linux:

Use `getfattr`:

getfattr -d <filename>

Example:

getfattr -d document.pdf

2. Remove Extended Attributes on Linux:

Use `setfattr`:

setfattr -x <attribute_name> <filename>

Example:

setfattr -x user.malicious document.pdf

Windows Commands for File Analysis

1. Check File Metadata:

Use PowerShell to inspect file metadata:

Get-ItemProperty -Path <filepath> | Select-Object *

Example:

Get-ItemProperty -Path C:\Users\Public\document.pdf | Select-Object *

2. Monitor File Access:

Use Sysinternals Process Monitor to track file activity:

Download Process Monitor from Microsoft Sysinternals.
Filter for the specific file and monitor read/write operations.

What Undercode Say:

Extended attributes are a double-edged sword, offering both utility and risk. By understanding how to inspect and manage them, you can mitigate the risk of exploitation by threat actors like APT Lazarus. Always monitor file activity, especially in environments where sensitive data is handled. For further reading, visit the Group-IB Blog.

Related Commands:

Use `man xattr` on macOS or `man getfattr` on Linux for detailed documentation.
Explore PowerShell’s `Get-ItemProperty` for advanced file metadata analysis on Windows.
Regularly update your system and tools to stay ahead of emerging threats.

References:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

You Should Know:

Inspecting Extended Attributes

1. List Extended Attributes:

Example:

2. Remove Extended Attributes:

Example:

Analyzing Suspicious Files

1. Check for Malicious Commands:

Example:

2. Monitor File Activity:

Example:

Linux Commands for Extended Attributes

1. View Extended Attributes on Linux:

Use `getfattr`:

Example:

2. Remove Extended Attributes on Linux:

Use `setfattr`:

Example:

Windows Commands for File Analysis

1. Check File Metadata:

Use PowerShell to inspect file metadata:

Example:

2. Monitor File Access:

Use Sysinternals Process Monitor to track file activity:

What Undercode Say:

Related Commands:

References:

Join Our Cyber World:

Related Posts: