Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Release Mac Variant of Dacls RAT

North Korea-linked hacking group Lazarus has been leveraging a Mac variant of the Dacls Remote Access Trojan (RAT), Malwarebytes reports.

North Korea-linked hacking group Lazarus has been leveraging a Mac variant of the Dacls Remote Access Trojan (RAT), Malwarebytes reports.

Referred to as “Hidden Cobra” by the United States government, and also tracked as APT38, the Lazarus group is believed to have been active since at least 2009, and to have orchestrated high-profile attacks such as the Sony hack in 2014 and 2017’s WannaCry outbreak.

The group, which Kaspersky named the most serious threat to banks, targeted cryptocurrency exchanges on multiple occasions, and was observed targeting macOS users last year.

Last year, security researchers identified at least two macOS-targeting malware families used by Lazarus in attacks, and a new one appears to have been added to their arsenal: a Mac variant of the Linux-based Dacls RAT.

Initially identified by security researchers with Qihoo 360 NetLab in December 2019, the Dacls backdoor targeted both Windows and Linux systems.

The Mac version is similar to the Linux variant, packing command execution capabilities, file management and traffic proxying features, and worm scanning. It also uses the same AES key and IV as the Linux variant to encrypt and decrypt the config file.

The malware is being distributed as a trojanized version of the MinaOTP two-factor authentication application for macOS. Once up and running on a compromised system, the RAT persists through LaunchDaemons (running as root) or LaunchAgents (running code on behalf of the logged-in user).

After initialization, the malware uploads to the command and control (C&C) server info from the config file, updates the config file with content downloaded from the C&C, collects and uploads information from the victim machine, and sends heartbeat info to the server.

The malware features seven plugins: six identified in the Linux variant (CMD – receives and executes commands; file – can read, delete, download and search files; process – can kill, run, and get process IDs; test – checks the connection to an IP and port; RP2P – proxy server; LogSend – checks connection to the log server, scans network, and executes long run system commands), and an additional one named SOCKS, which is used to proxy network traffic from the victim to the C&C server.

Similar to the Linux variant, the backdoor communicates with the C&C using a TLS connection and encrypts data using the RC4 algorithm. Both malware iterations use the WolfSSL library for SSL communications.

Related: USCYBERCOM Shares More North Korean Malware Samples

Related: North Korean Hackers Continue to Target Cryptocurrency Exchanges

Related: North Korea-Linked Hackers Target macOS Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.