Threat Watch

New Dacls RAT Variant Now Targets Mac Users

North Korea (Lazarus Group): A new variant of the Dacls RAT (Remote Access Trojan) has been adapted from an existing Linux version to target Mac users. Dacls was first seen back in December targeting Windows and Linux users. This latest variant of Dacls spreads through a trojanized version of MinaOTP, a two-factor authentication application for macOS which is mostly used by Chinese speaking users, according to Malwarebytes. Once the application is installed, it creates a property list file (plist) which specifies that the app needs to be executed after reboot. The trojanized app also includes a config file which is disguised to look like a database file related to Apple’s AppStore, saved to: “Library/Caches/com.applestore.db”. Following installation, the application is named Mina, which assists in the façade that this trojanized application is the legitimate MinaOTP. As with other versions of the Dacls RAT, this allows the attackers to execute commands remotely, manage files, proxy traffic, and run scans.

ANALYST NOTES

Many businesses and users have been shifting to Apple products over the past several years out of a belief that they are more secure. While it is true that most malware is created to target Windows and Linux based systems, this comes more from fact that the most widely used systems in business and government applications are Windows, while Linux is often used for critical servers. As certain systems gain more prevalence in business and government applications, so does their value to major threat actors. It is always important to ensure that any applications which are being installed come from legitimate publishers and are obtained through trusted sources. Several years ago, it would have been surprising to see a North Korean threat actor targeting Chinese users. This changed through following the Chinese government’s choice to abide by UN sanctions on North Korea. Relations between the two nations slowly began to sour over time, especially following China’s expulsion of North Korean businesses from China. More information on this incident can be found at: https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/