North Korea-linked Lazarus APT uses a Mac variant of the Dacls RAT

Pierluigi Paganini May 09, 2020

North Korea-linked Lazarus APT group employed a Mac variant of the Dacls Remote Access Trojan (RAT) in recent attacks.

North Korea-linked Lazarus APT already used at least two macOS malware in previous attacks, now researchers from Malwarebytes have identified a new Mac variant of the Linux-based Dacls RAT.

The activity of the Lazarus APT group (aka HIDDEN COBRA) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Dacls was first spotted by researchers at Qihoo 360 Netlab in December 2019 when it was used to target both Windows and Linux devices.

It was the first malware linked to the Lazarus group that targets Linux systems.

Malwarebytes researchers observed the Mac version of Dacls being distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers.

“We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system.” reads the analysis published by the researchers.

On April 8th, threat actors submitted to VirusTotal a suspicious Mac application named “TinkaOTP,” the malicious code was uploaded from Hong Kong and none of the engines was able to detected it at the time.

Both Linux and Mac variants implement a variety of features including command execution, file management, traffic proxying, and worm scanning.

The Dacls RAT achieves persistence through LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot. Experts pointed out that LaunchAgents run code on behalf of the logged-in user while LaunchDaemon run code as root user.

The Mac version uses the same AES key and IV as the Linux variant to encrypt and decrypt the config file.

Upon the initialization, the main loop is executed to upload C2 server information from the config file to the server, download the config file contents from the server and update the config file, upload collected information from the victim’s machine by calling “getbasicinfo” function, send heartbeat information.

The malware has seven plugins, six of them are the same discovered in the Linux variant (CMD – receives and executes commands; file – can read, delete, download and search files; process – can kill, run, and get process IDs; test – checks the connection to an IP and port; RP2P – proxy server; LogSend – checks connection to the log server, scans network, and executes long run system commands), while the seventh one named SOCKS is used to proxy network traffic from the victim to the C&C server.

The Mac RAT implements a C&C communication similar to the Linux variant.

Like the Linux variant, the backdoor communicates with the C&C using a TLS connection and encrypts data using the RC4 algorithm.

“Both Mac and Linux variants use the WolfSSL library for SSL communications. WolfSSL is an open-source implementation of TLS in C that supports multiple platforms. This library has been used by several threat actors.” continues the report.

Additional technical details, such as IoCs, are included in the report published by Malwarebytes.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Dacls RAT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment