With the infamous Lazarus group believed to be responsible for the malware attack.
Research experts from Malwarebytes Lab have once again discovered a fresh attack from the Lazarus group in which they planted a potent malware into the free MinaOTP, a two-factor authentication (2FA) app powered by Mac Operating System with users mostly from China.
The infamous Lazarus group which started operations since 2009 is believed to be from North Korea, known to be one of the most consistent hacking groups in recent years was said to have infected MinaOTP to spread a trojan called Dacls used in gaining remote access into any vulnerable system. Dacls is then activated to manage the system’s processes, traffic proxy, execute commands, manage the system’s files, and for worm scanning.
When information is gathered by Dacl, it links back to its C2 server through a TLS connection, encrypts the data, and then transmits it on SSL “using the RC4 algorithm.” Dacls begins operating once it reboots the system as it gets included in the property list (plist) file used by LaunchAgents and LaunchDaemons to run applications at startup.
Malwarebytes Leaks The Lazarus Group Malware Attack
Malwarebytes Lab says that connections with the Dacls for Windows and Linux are evident, they also discovered in the macOS variant that the names for the private file and certificate – “k_3872.Cls” – “c_2910.cls” remain the same with all three operating systems.
Subsequently, they revealed through discovery that six of the seven plugins in the macOS sample can be found in the Linux variant. The novelty is the Socks module that executes a proxy between the malware and the C2 components.
A similar root is given by the configuration file of the malware, which is encrypted with the same AES key and initialization vector seen in Dacls RAT for Linux as more evidence has revealed. As of this report, only 23 of the 59 antivirus engines can detect the dacls file.
Attacking devices and applications running on macOS with malware is not new to the Lazarus group as a report from Kaspersky in 2018 shows that the group attacked a cryptocurrency trading platform with a trojan installer to steal users’ sensitive information.