Threat Management, Threat Management, Threat Intelligence, Malware

2FA app weaponized to infect Mac users with Dacls RAT

MacOS users who think they have protected themselves by downloading a particular two-factor authentication application may have actually infected their machines with a new variant of the Dacls remote access trojan.

When Dacls was originally discovered in late 2019, it was known to target Windows and Linux platforms, but now it appears Macs are no longer safe from this threat, according to a new blog post from Malwarebytes, whose researchers uncovered the threat.

The 2FA app that was caught spreading the RAT was first observed on Apr. 8, and has been identified as a trojanized version of MinaOTP, which is used primarily by Chinese speakers. However, there is presumably nothing stopping the adversaries behind Dacls from trojanizing additional apps catering to users who speak any number of languages.

"[The attackers] used a legitimate 2FA App from its official GitHub repository, added their malicious executable and packaged it as a Mac application. The original MinaOTP remains clean, it was simply used as a building block," the Malwarebytes Threat Intelligence team told SC Media in an interview.

"Using a 2FA app is interesting because it can target and steal 2FA data from the victim's machine too. The deployed RAT has the capability to download additional payloads and it is expected that at some point the actor will capture 2FA data to access other accounts used by the victim."

Please attribute these comments to Malwarebytes Threat Intelligence team.

Dacls has been linked to the Lazarus group, aka Hidden Cobra, which is a reputed North Korea-sponsored ATP actor. It comes with seven plugins that grant it a variety of capabilities, including command execution, file management, traffic proxying, worm scanning, and reading, deleting, downloading and searching files.

The app enables command-and-control communication by establishing a TLS connection, executing a beaconing process and then encrypting data sent over SSL.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.