The Dacls RAT ...now on macOS!
Contents
Background
Early today, the noted Mac Security researcher Phil Stokes tweeted about a “Suspected #Lazarus backdoor/RAT”:
In his tweet he noted various details about the malware and was kind enough to post hashes as well. Mahalo Phil (and Thomas Reed, who initially noticed the sample on VirusTotal)! 🙏
📝 Update: The sample was originally discovered by Hossein Jazi of MalwareBytes.
MalwareBytes has now published their detailed analysis:
"New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app"
As noted in his tweet, current detections for both the malware’s disk image and payload are at 0% (though this is likely to change as AV engines update the signature databases):
The Lazarus APT group (North Korea) is arguably to most prevalent (or perhaps just visible) APT group in the macOS space. In fact the majority of my recent macOS malware blogs have been about their creations:
“OSX.Yort”
“Pass the AppleJeus”
“Lazarus Group Goes ‘Fileless’”
Though not remarkably sophisticated, they continue to …
Early today, the noted Mac Security researcher Phil Stokes tweeted about a “Suspected #Lazarus backdoor/RAT”:
In his tweet he noted various details about the malware and was kind enough to post hashes as well. Mahalo Phil (and Thomas Reed, who initially noticed the sample on VirusTotal)! 🙏
📝 Update: The sample was originally discovered by Hossein Jazi of MalwareBytes.
MalwareBytes has now published their detailed analysis:
"New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app"
As noted in his tweet, current detections for both the malware’s disk image and payload are at 0% (though this is likely to change as AV engines update the signature databases):
The Lazarus APT group (North Korea) is arguably to most prevalent (or perhaps just visible) APT group in the macOS space. In fact the majority of my recent macOS malware blogs have been about their creations:
“OSX.Yort”
“Pass the AppleJeus”
“Lazarus Group Goes ‘Fileless’”
Though not remarkably sophisticated, they continue to …