Connect with us

Cyber Security

North Korea-linked Lazarus APT uses a Mac variant of the Dacls RAT

Avatar

Published

on


North Korea-linked Lazarus APT group employed a Mac variant of the Dacls Remote Access Trojan (RAT) in recent attacks.

North Korea-linked Lazarus APT already used at least two macOS malware in previous attacks, now researchers from Malwarebytes have identified a new Mac variant of the Linux-based Dacls RAT.

The activity of the Lazarus APT group (aka HIDDEN COBRA) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Dacls was first spotted by researchers at Qihoo 360 Netlab in December 2019 when it was used to target both Windows and Linux devices.

It was the first malware linked to the Lazarus group that targets Linux systems.

Malwarebytes researchers observed the Mac version of Dacls being distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers.

“We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system.” reads the analysis published by the researchers.

On April 8th, threat actors submitted to VirusTotal a suspicious Mac application named “TinkaOTP,” the malicious code was uploaded from Hong Kong and none of the engines was able to detected it at the time.

Both Linux and Mac variants implement a variety of features including command execution, file management, traffic proxying, and worm scanning.

The Dacls RAT achieves persistence through LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot. Experts pointed out that LaunchAgents run code on behalf of the logged-in user while LaunchDaemon run code as root user.

The Mac version uses the same AES key and IV as the Linux variant to encrypt and decrypt the config file.

Upon the initialization, the main loop is executed to upload C2 server information from the config file to the server, download the config file contents from the server and update the config file, upload collected information from the victim’s machine by calling “getbasicinfo” function, send heartbeat information.

The malware has seven plugins, six of them are the same discovered in the Linux variant (CMD – receives and executes commands; file – can read, delete, download and search files; process – can kill, run, and get process IDs; test – checks the connection to an IP and port; RP2P – proxy server; LogSend – checks connection to the log server, scans network, and executes long run system commands), while the seventh one named SOCKS is used to proxy network traffic from the victim to the C&C server.

The Mac RAT implements a C&C communication similar to the Linux variant.

Like the Linux variant, the backdoor communicates with the C&C using a TLS connection and encrypts data using the RC4 algorithm.

“Both Mac and Linux variants use the WolfSSL library for SSL communications. WolfSSL is an open-source implementation of TLS in C that supports multiple platforms. This library has been used by several threat actors.” continues the report.

Additional technical details, such as IoCs, are included in the report published by Malwarebytes.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

Pierluigi Paganini

(SecurityAffairs – Dacls RAT, hacking)




Source: https://securityaffairs.co/wordpress/102981/apt/lazarus-apt-mac-dacls-rat.html

Cyber Security

Expert Reaction On Millions of LiveAuctioneers Passwords for Sale

Avatar

Published

on

Researchers at CloudSEK claim to have found evidence of the sale of a database containing 3.4 million users of online art and antique auction website.

Source: https://www.informationsecuritybuzz.com/expert-comments/millions-of-liveauctioneers-passwords-offered-for-sale-following-data-breach/

Continue Reading

Cyber Security

Security firm G4S fined by Serious Fraud Office

Avatar

Published

on

Security firm G4S has been fined £44m by the Serious Fraud Office (SFO) as part of an agreement that will see it avoid prosecution for overcharging the Ministry of Justice for the electronic tagging of offenders, some of whom had died.

The SFO said G4S had accepted responsibility for three counts of fraud that were carried out in an effort to “dishonestly mislead” the government, in order to boost its profits.

Source: The Guardian

Source: https://www.itsecurityguru.org/2020/07/14/security-firm-g4s-fined-by-serious-fraud-office/?utm_source=rss&utm_medium=rss&utm_campaign=security-firm-g4s-fined-by-serious-fraud-office

Continue Reading

Cyber Security

Highly-Critical SAP bug that could let attackers take over corporate servers patched

Avatar

Published

on

SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to take control of SAP applications.
The bug, dubbed RECON and tracked as CVE-2020-6287, is rated with a maximum CVSS score of 10 out of 10, potentially affecting over 40,000 SAP customers, according to cybersecurity firm Onapsis, which uncovered the flaw.

Source: The Hacker News

Source: https://www.itsecurityguru.org/2020/07/14/highly-critical-sap-bug-that-could-let-attackers-take-over-corporate-servers-patched/?utm_source=rss&utm_medium=rss&utm_campaign=highly-critical-sap-bug-that-could-let-attackers-take-over-corporate-servers-patched

Continue Reading
AI14 mins ago

Facebook uses Amazon EC2 to evaluate the Deepfake Detection Challenge

AR/VR30 mins ago

4 BIG Changes For In Death: Unchained

AR/VR31 mins ago

4 Big Changes In Death: Unchained Going From PC To Quest

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
AI1 hour ago

Wireless aquatic robot could clean water and transport cells

AR/VR2 hours ago

Superhot Dev Continuing To Experiment With VR, But New Game Skips Support

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
AI2 hours ago

Robot jaws shows medicated chewing gum could be the future

AR/VR3 hours ago

Chomp Down On Sharks Of Mars: Prologue, Available Now For Rift, Steam Soon

AR/VR3 hours ago

Educational Tool HistoryMaker VR Steps Onto Steam in August

AR/VR4 hours ago

PSVR Exclusive Iron Man VR Hangs Onto Top 10 In UK Sales Charts

Automotive4 hours ago

2021 Ford Bronco First Edition reservations sell out, Bronco website overwhelmed

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
Automotive4 hours ago

2021 Ford Bronco Sport vs Jeep Cherokee, Compass Trailhawks | How they compare on paper

AR/VR4 hours ago

Firmament’s 2020 Launch ‘Wildly Optimistic’, now Expected in 2022

Crowdfunding4 hours ago

Royal Bank of Scotland’s Tyl Contactless Payment Service Reports Solid Uptake

the-mother-korean-airs-infamous-nut-rage-executive-was-convicted-of-assaulting-her-chauffeur.jpg
Business Insider5 hours ago

The mother Korean Air’s infamous ‘nut rage’ executive was convicted of assaulting her chauffeur

Crowdfunding5 hours ago

Square Announces Acquisition of Operations Management Platform Stitch Labs

Business Insider5 hours ago

BANK OF AMERICA: Buy these 7 pharma stocks now as they race to develop COVID-19 treatments and vaccines

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
Automotive5 hours ago

2021 Ford Bronco trim breakdown | All seven trims and how they differ

the-canadian-biotech-medicago-is-betting-it-can-make-a-coronavirus-vaccine-out-of-plants-and-it-just-started-testing-it-in-humans.jpg
Business Insider5 hours ago

The Canadian biotech Medicago is betting it can make a coronavirus vaccine out of plants, and it just started testing it in humans

6-in-10-us-workers-support-going-back-to-in-person-learning-in-the-fall-but-a-lot-of-people-are-worried-schools-arent-ready.png
Business Insider5 hours ago

6 in 10 US workers support going back to in-person learning in the fall, but a lot of people are worried schools aren’t ready

Business Insider5 hours ago

Under Thomas Kurian, Google Cloud is announcing some heavyweight enterprise customers and it’s a good sign for his ultimate ambitions (GOOG, GOOGL)

Crowdfunding5 hours ago

Update: Snowball Money Hits $600,000 Maximum Funding Goal Reached on Republic

Crowdfunding5 hours ago

Fintech in Need of Finance? Report States COVID-19 May Necessitate £825 Million in New Financing

CNBC5 hours ago

Delta posts second-quarter net loss of $5.7 billion, biggest in more than a decade, driven by coronavirus

CNBC5 hours ago

Coronavirus updates: Hong Kong grapples with new cluster; U.K. study says immunity may wane after two months

CNBC5 hours ago

Citigroup is set to report second-quarter earnings. Here’s what Wall Street expects

Publications5 hours ago

JPMorgan shares jump after record trading revenue drives stronger-than-expected second quarter profit

CNBC5 hours ago

Amazon is rolling out grocery carts that let shoppers skip checkout lines, bag their groceries and walk out

AI5 hours ago

VC Funding – Outlook Bumpy, But Some Optimism

Publications5 hours ago

Pricefx raises $65M Series C for its cloud-based pricing software

AR/VR5 hours ago

UofL and Penn State bring immersion to education

Publications5 hours ago

Liteboxer, the Peloton for boxing, enters the ring

Private Equity5 hours ago

Valor Equity Partners passes $1bn in fifth flagship fundraise

Ecommerce5 hours ago

India’s Flipkart secures $1.2 billion from Walmart and other shareholders

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
Publications5 hours ago

Here’s a breakdown of Delta’s Q2 earnings results

venezuela-raises-petrol-prices-mandates-support-for-petro-at-gas-stations-3.jpg
Publications5 hours ago

Here’s a breakdown JPMorgan’s Q2 earnings results

Crowdfunding5 hours ago

UK Fintech Lanistar Secures £15 Million in Additional Capital to Support Upcoming Launch this Year

Private Equity6 hours ago

Align Capital follows $450m Fund II close with deal for PE-backed-business advisory firm WilliamsMarston

Cyber Security6 hours ago

Expert Reaction On Millions of LiveAuctioneers Passwords for Sale

BBC6 hours ago

News outlets will digitally watermark content to limit misinformation

Publications6 hours ago

Stock futures rise ahead of big bank earnings

Trending