Beware!! Lazarus APT Hackers Launching New MacOS RAT “Dacls” Via Wepanized 2FA App

Researchers identified new Remote Access Trojan “Dacls” that targets Mac users via trojanized Two Factor Authentication app (2FA) that believed to be associated with infamous North Korea’s Lazarus APT hackers.

Lazarus group aka Hidden Cobra, APT 38, an infamous North Korean threat actor performing cyber espionage, and cyber-crime operations since 2009. it’s already targeted several financial organizations and multiple platforms around the world using various advanced hacking tools and techniques.


APT 38 group is known to be one of the most sophisticated actors, capable of making custom malware to target different platforms and different infrastructure around the globe.

Initially, Dacls RAT was reported in December 2019 by researchers from Qihoo 360 NetLab, and it was developed to target the Windows and Linux users.

The latest version of this RAT was distributed via the 2 FA app called MinaOTP for MacOS, and the App is most used by the Chinese peoples with various features including command execution, file management, traffic proxying, and worm scanning and more.

The RAT is also using the various persistence technique with the help of LaunchAgents or LaunchDaemons that used to runs the code as a root user and logged in users.

Install Configuration Files and Data Stealing

Researchers also uncovered a configuration files that contains a information about the victim’s machine such as Puid, Pwuid, plugins and C&C servers. 

Current MacOS variant and the previous Linux variants use the same AES key and IV to encrypt and decrypt the config file.

Configuration files frequently receive the command from the C&C server and the name “Mina” derived from the MinaOTP application which is a two-factor authentication app for macOS.

Once the configuration files are successfully installed, the Trojanized app will perform the following commands.

  • Upload C&C server information from the config file to the server (0x601)
  • Download the config file contents from the server and update the config file (0x602)
  • Upload collected information from the victim’s machine by calling “getbasicinfo” function (0x700)
  • Send heartbeat information (0x900)

Malicious Plugins Associated with MinaOTP

Mac version of the RAT has all the 6 plugins that have been already seen in the the Linux version of the following:-

CMD plugin – The cmd plugin is similar to the “bash” plugin in the Linux rat which receives and executes commands by providing a reverse shell to the C&C server.

File Plugin – The file plugin has the capability to read, delete, download, and search files within a directory. 

Process plugin – The process plugin has the capability of killing, running, getting process ID, and collecting process information.

LogSend plugin – It helps to check the Log server connection, scan network, Execute long run system command.

Test plugin –  It checks the connection to an IP and Port specified by the C&C servers.

RP2P plugin – It is a proxy server that helps to used to avoid direct communications from the victim to the actor’s infrastructure.

Network Communication:-

C2 server communication is almost the same as the Linux variant and it establishes the encrypted TLS connection to connect the server and the data sent over SSL using the RC4 algorithm.

Traffic generated by the Application (.mina)

According to the Malwarebytes research “Both Mac and Linux variants use the WolfSSL library for SSL communications. WolfSSL is an open-source implementation of TLS in C that supports multiple platforms.”

Indicators of Compromise



Also Read: Operation AppleJeus – Lazarus APT Hackers Launching Highly Sophisticated Malware To Attack Windows & macOS Systems

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.