New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
Contents
This blog post was authored by Hossein Jazi, Thomas Reed and Jérôme Segura.
We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea's Lazarus group, designed specifically for the Mac operating system.
Dacls is a RAT that was discovered by Qihoo 360 NetLab in December 2019 as a fully functional covert remote access Trojan targeting the Windows and Linux platforms.
This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.
Discovery
On April 8th, a suspicious Mac application named "TinkaOTP" was submitted to VirusTotal from Hong Kong. It was not detected by any engines at the time.
The malicious bot executable is located in “Contents/Resources/Base.lproj/” directory of the application and pretends to …
We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea's Lazarus group, designed specifically for the Mac operating system.
Dacls is a RAT that was discovered by Qihoo 360 NetLab in December 2019 as a fully functional covert remote access Trojan targeting the Windows and Linux platforms.
This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.
Discovery
On April 8th, a suspicious Mac application named "TinkaOTP" was submitted to VirusTotal from Hong Kong. It was not detected by any engines at the time.
The malicious bot executable is located in “Contents/Resources/Base.lproj/” directory of the application and pretends to …
IoC
185.62.58.207
216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d
50.87.144.227
67.43.239.146
846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6
899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd
http://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d
50.87.144.227
67.43.239.146
846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6
899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd
http://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001
https://loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001