silversurfer
Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
- Aug 17, 2014
- 12,745
- 123,915
- 8,399
The North Korea-linked cyberthreat group known as Lazarus Group has added a new variant of the Dacls remote-access trojan (RAT) to its arsenal of spy gear, designed specifically for the Mac operating system.
Dacls was first discovered last December targeting Windows and Linux platforms. The new version for Mac is now spreading via a trojanized two-factor authentication (2FA) application for macOS called MinaOTP, mostly used by Chinese speakers, according to a Malwarebytes analysis.
Dacls is a full-featured RAT that can allow command execution, file management, traffic proxying and worm scanning.
Taking a closer look at the malware, the malicious Mac executable is located in “Contents/Resources/Base.lproj/” directory of the fake application and pretends to be a nib file, according to researchers at Malwarebytes, in a posting on Wednesday.
Once it starts, it creates a property list (plist) file that specifies the application that needs to be executed after reboot, and the content of the plist file is hardcoded within the application. This ensures persistence, analysts noted.
The malware also has a configuration file, encrypted with AES, that pretends to be a database file related to the Apple Store, “Library/Caches/Com.apple.appstore.db.” The “IntializeConfiguration” function initializes this config file with a list of hardcoded command-and-control (C2) servers.“The config file is constantly updated by receiving commands from the C2 server,” according to Malwarebytes.
The application name after installation is “Mina,” to go with Dacl’s masquerade as the MinaOTP application.
