Lazarus Group Hides macOS Spyware in 2FA Application

lazarus group dacl remote access trojan

The Dacls RAT has been ported from an existing Linux version.

The North Korea-linked cyberthreat group known as Lazarus Group has added a new variant of the Dacls remote-access trojan (RAT) to its arsenal of spy gear, designed specifically for the Mac operating system.

Dacls was first discovered last December targeting Windows and Linux platforms. The new version for Mac is now spreading via a trojanized two-factor authentication (2FA) application for macOS called MinaOTP, mostly used by Chinese speakers, according to a Malwarebytes analysis.

Dacls is a full-featured RAT that can allow command execution, file management, traffic proxying and worm scanning.

Initial Installation

Taking a closer look at the malware, the malicious Mac executable is located in “Contents/Resources/Base.lproj/” directory of the fake application and pretends to be a nib file, according to researchers at Malwarebytes, in a posting on Wednesday.

Once it starts, it creates a property list (plist) file that specifies the application that needs to be executed after reboot, and the content of the plist file is hardcoded within the application. This ensures persistence, analysts noted.

The malware also has a configuration file, encrypted with AES, that pretends to be a database file related to the Apple Store, “Library/Caches/Com.apple.appstore.db.” The “IntializeConfiguration” function initializes this config file with a list of hardcoded command-and-control (C2) servers.

“The config file is constantly updated by receiving commands from the C2 server,” according to Malwarebytes.

The application name after installation is “Mina,” to go with Dacl’s masquerade as the MinaOTP application.

Information Harvesting

After connecting to the C2 and updating the config file, the malware then uploads collected information from the victim’s machine by calling “getbasicinfo” function (0x700), and sends “heartbeat” information (0x900). The command codes are exactly the same as the Linux version that was previously observed.

It also loads seven modules, six of which are also present in the Linux variant. The outlier is an additional plugin named “SOCKS,” which is used to proxy network traffic from the victim to the C2 server. Each plugin has its own configuration section in the config file which will be loaded at the initialization of the plugin.

To connect to the C2 server, the application first establishes a TLS connection and then performs beaconing, and it lastly encrypts the data sent over SSL using the RC4 algorithm. Both Mac and Linux variants use the WolfSSL library for the SSL communications, which is an open-source implementation of TLS in C that supports multiple platforms.

The Plugins

The first plugin, CMD, is similar to the “Bash” plugin in the Linux RAT, which receives and executes commands by providing a reverse shell to the C2 server, according to Malwarebytes.

The next is the File plugin, which can read, delete, download and search files within a directory.

“The only difference between the Mac and Linux version is that the Mac version does not have the capability to write files,” according to the analysis.

The third is the Process plugin, which is used for killing, running and getting process IDs and collecting process information.

Fourth is the Test plugin, which checks the connection to an IP address and ports specified by the C2 server.

Fifth is the RP2P plugin, which is a proxy server used to avoid direct communications from the victim to the actor’s infrastructure.

And last out of the six ported from Linux Dacls, the LogSend plugin contains three modules. These check connection to the log server; implement a worm scanner; and execute long run system commands. This plugin sends the collected logs using HTTP post requests, according to Malwarebytes.

The new SOCKS plugin meanwhile is “similar to the RP2P plugin and acts as an intermediary to direct the traffic between bot and C&C infrastructure,” according to the writeup.

Lazarus Group Connection

Lazarus Group, a.k.a. Hidden Cobra or APT 38, has been around since 2009. The APT is the one behind the highly destructive WannaCry attack that caused millions of dollars of economic damage in 2017, as well as mounting a high-profile attack against Sony Pictures Entertainment in 2014. It even has spawned a spinoff group, the entire mission of which is to steal money from banks to fund Lazarus’ cybercriminal operations.

In December, it was seen hooking up with Trickbot operators, which run a powerful trojan that targets U.S. banks and others.

Malwarebytes didn’t say how they connected Lazarus Group with Dacls, but Threatpost has reached out for more information.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.