MacOS users who think they have protected themselves by downloading a particular two-factor authentication application may have actually infected their machines with a new variant of the Dacls remote access trojan.
When Dacls was originally discovered in late 2019, it was known to target Windows and Linux platforms, but now it appears Macs are no longer safe from this threat, according to a new blog post from Malwarebytes, whose researchers uncovered the threat.
The 2FA app that was caught spreading the RAT was first observed on Apr. 8, and has been identified as a trojanized version of MinaOTP, which is used primarily by Chinese speakers. However, there is presumably nothing stopping the adversaries behind Dacls from trojanizing additional apps catering to users who speak any number of languages.
“[The attackers] used a legitimate 2FA App from its official GitHub repository, added their malicious executable and packaged it as a Mac application. The original MinaOTP remains clean, it was simply used as a building block,” the Malwarebytes Threat Intelligence team told SC Media in an interview.
“Using a 2FA app is interesting because it can target and steal 2FA data from the victim’s machine too. The deployed RAT has the capability to download additional payloads and it is expected that at some point the actor will capture 2FA data to access other accounts used by the victim.”
Please attribute these comments to Malwarebytes Threat Intelligence team.
Dacls has been linked to the Lazarus group, aka Hidden Cobra, which is a reputed North Korea-sponsored ATP actor. It comes with seven plugins that grant it a variety of capabilities, including command execution, file management, traffic proxying, worm scanning, and reading, deleting, downloading and searching files.
The app enables command-and-control communication by establishing a TLS connection, executing a beaconing process and then encrypting data sent over SSL.