North Korea-linked hacking group Lazarus has been leveraging a Mac variant of the Dacls Remote Access Trojan (RAT), Malwarebytes reports.
Referred to as “Hidden Cobra” by the United States government, and also tracked as APT38, the Lazarus group is believed to have been active since at least 2009, and to have orchestrated high-profile attacks such as the Sony hack in 2014 and 2017’s WannaCry outbreak.
Last year, security researchers identified at least two macOS-targeting malware families used by Lazarus in attacks, and a new one appears to have been added to their arsenal: a Mac variant of the Linux-based Dacls RAT.
Initially identified by security researchers with Qihoo 360 NetLab in December 2019, the Dacls backdoor targeted both Windows and Linux systems.
The Mac version is similar to the Linux variant, packing command execution capabilities, file management and traffic proxying features, and worm scanning. It also uses the same AES key and IV as the Linux variant to encrypt and decrypt the config file.
The malware is being distributed as a trojanized version of the MinaOTP two-factor authentication application for macOS. Once up and running on a compromised system, the RAT persists through LaunchDaemons (running as root) or LaunchAgents (running code on behalf of the logged-in user).
After initialization, the malware uploads to the command and control (C&C) server info from the config file, updates the config file with content downloaded from the C&C, collects and uploads information from the victim machine, and sends heartbeat info to the server.
The malware features seven plugins: six identified in the Linux variant (CMD – receives and executes commands; file – can read, delete, download and search files; process – can kill, run, and get process IDs; test – checks the connection to an IP and port; RP2P – proxy server; LogSend – checks connection to the log server, scans network, and executes long run system commands), and an additional one named SOCKS, which is used to proxy network traffic from the victim to the C&C server.
Similar to the Linux variant, the backdoor communicates with the C&C using a TLS connection and encrypts data using the RC4 algorithm. Both malware iterations use the WolfSSL library for SSL communications.