Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

North Korean Hackers Release Mac Variant of Dacls RAT

North Korea-linked hacking group Lazarus has been leveraging a Mac variant of the Dacls Remote Access Trojan (RAT), Malwarebytes reports.

North Korea-linked hacking group Lazarus has been leveraging a Mac variant of the Dacls Remote Access Trojan (RAT), Malwarebytes reports.

Referred to as “Hidden Cobra” by the United States government, and also tracked as APT38, the Lazarus group is believed to have been active since at least 2009, and to have orchestrated high-profile attacks such as the Sony hack in 2014 and 2017’s WannaCry outbreak.

The group, which Kaspersky named the most serious threat to banks, targeted cryptocurrency exchanges on multiple occasions, and was observed targeting macOS users last year.

Last year, security researchers identified at least two macOS-targeting malware families used by Lazarus in attacks, and a new one appears to have been added to their arsenal: a Mac variant of the Linux-based Dacls RAT.

Initially identified by security researchers with Qihoo 360 NetLab in December 2019, the Dacls backdoor targeted both Windows and Linux systems.

The Mac version is similar to the Linux variant, packing command execution capabilities, file management and traffic proxying features, and worm scanning. It also uses the same AES key and IV as the Linux variant to encrypt and decrypt the config file.

The malware is being distributed as a trojanized version of the MinaOTP two-factor authentication application for macOS. Once up and running on a compromised system, the RAT persists through LaunchDaemons (running as root) or LaunchAgents (running code on behalf of the logged-in user).

After initialization, the malware uploads to the command and control (C&C) server info from the config file, updates the config file with content downloaded from the C&C, collects and uploads information from the victim machine, and sends heartbeat info to the server.

Advertisement. Scroll to continue reading.

The malware features seven plugins: six identified in the Linux variant (CMD – receives and executes commands; file – can read, delete, download and search files; process – can kill, run, and get process IDs; test – checks the connection to an IP and port; RP2P – proxy server; LogSend – checks connection to the log server, scans network, and executes long run system commands), and an additional one named SOCKS, which is used to proxy network traffic from the victim to the C&C server.

Similar to the Linux variant, the backdoor communicates with the C&C using a TLS connection and encrypts data using the RC4 algorithm. Both malware iterations use the WolfSSL library for SSL communications.

Related: USCYBERCOM Shares More North Korean Malware Samples

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Related: North Korea-Linked Hackers Target macOS Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Former Barclay’s CISO Oliver Newbury has joined ransomware protection firm Halcyon as a strategic advisor

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.