Researchers identified new Remote Access Trojan “Dacls” that targets Mac users via trojanized Two Factor Authentication app (2FA) that believed to be associated with infamous North Korea’s Lazarus APT hackers.
Lazarus group aka Hidden Cobra, APT 38, an infamous North Korean threat actor performing cyber espionage, and cyber-crime operations since 2009. it’s already targeted several financial organizations and multiple platforms around the world using various advanced hacking tools and techniques.
APT 38 group is known to be one of the most sophisticated actors, capable of making custom malware to target different platforms and different infrastructure around the globe.
Initially, Dacls RAT was reported in December 2019 by researchers from Qihoo 360 NetLab, and it was developed to target the Windows and Linux users.
The latest version of this RAT was distributed via the 2 FA app called MinaOTP for MacOS, and the App is most used by the Chinese peoples with various features including command execution, file management, traffic proxying, and worm scanning and more.
The RAT is also using the various persistence technique with the help of LaunchAgents or LaunchDaemons that used to runs the code as a root user and logged in users.
Install Configuration Files and Data Stealing
Researchers also uncovered a configuration files that contains a information about the victim’s machine such as Puid, Pwuid, plugins and C&C servers.
Current MacOS variant and the previous Linux variants use the same AES key and IV to encrypt and decrypt the config file.
Configuration files frequently receive the command from the C&C server and the name “Mina” derived from the MinaOTP application which is a two-factor authentication app for macOS.
Once the configuration files are successfully installed, the Trojanized app will perform the following commands.
- Upload C&C server information from the config file to the server (0x601)
- Download the config file contents from the server and update the config file (0x602)
- Upload collected information from the victim’s machine by calling “getbasicinfo” function (0x700)
- Send heartbeat information (0x900)
Malicious Plugins Associated with MinaOTP
Mac version of the RAT has all the 6 plugins that have been already seen in the the Linux version of the following:-
CMD plugin – The cmd plugin is similar to the “bash” plugin in the Linux rat which receives and executes commands by providing a reverse shell to the C&C server.
File Plugin – The file plugin has the capability to read, delete, download, and search files within a directory.
Process plugin – The process plugin has the capability of killing, running, getting process ID, and collecting process information.
LogSend plugin – It helps to check the Log server connection, scan network, Execute long run system command.
Test plugin – It checks the connection to an IP and Port specified by the C&C servers.
RP2P plugin – It is a proxy server that helps to used to avoid direct communications from the victim to the actor’s infrastructure.
C2 server communication is almost the same as the Linux variant and it establishes the encrypted TLS connection to connect the server and the data sent over SSL using the RC4 algorithm.
According to the Malwarebytes research “Both Mac and Linux variants use the WolfSSL library for SSL communications. WolfSSL is an open-source implementation of TLS in C that supports multiple platforms.”
Indicators of Compromise
899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53 846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6 216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd loneeaglerecords[.]com/wp-content/uploads/2020/01/images.tgz.001 188.8.131.52 184.108.40.206 220.127.116.11