The number of feathers in the hat of Lazarus Group is on the rise. This time it added a new variant of the Dacls RAT to its armory of spy gear. This RAT has been tailored for macOS. Dacls came into the picture in December last year, while targeting Linux and Windows platforms. The new version for Mac is propagating through a trojanized 2FA app for macOS, known as MinaOTP.
What is happening:
- Dacls is a full-featured covert remote-access trojan and can allow worm scanning, file management, command execution, and traffic proxying. The Mac version is mostly used by Chinese speakers.
- The RAT persists through LaunchAgents or LaunchDaemons that take a plist (property list) file specifying the software to be executed after reboot.
- The malware has a configuration file encrypted with AES. This config file is continually updated by receiving commands from the C2 server.
- The information collected is uploaded by the malware by calling “getbasicinfo” function and “heartbeat” information is sent.
What the experts are saying:
- Another variant of this trojan downloads the malicious payload using a curl command.
- This Mac variant of Dacls is suspected to be linked to the Lazarus Group, also known as Hidden Cobra and APT 38. The group has been conducting cyber espionage operations since 2009.
- This group is infamous for building custom malware for different platforms.
The RAT has been identified as OSX-DaclsRAT. Many features of the Mac variant are similar to that of the Linux variant. Both Linux and Mac employ WolfSSL library for SSL communications. It is an open-source implementation of TLS in C, supporting a variety of platforms.
What you can do:
The situation looks scary but not to a huge degree as the activities of this group are motivated by financial gains. However, the same reason poses a huge threat to most organizations. Defenders should have strong log monitoring capabilities, protection against phishing, patch management programs, and flags to detect legitimate communication.
Organizations are suggested to include APT 38 when they consider the mitigation of security threats. Nevertheless, it has not yet been disclosed as to how this malware is connected to the Lazarus Group.