North Korea-linked Lazarus APT group employed a Mac variant of the Dacls Remote Access Trojan (RAT) in recent attacks.
The activity of the Lazarus APT group (aka HIDDEN COBRA) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
Dacls was first spotted by researchers at Qihoo 360 Netlab in December 2019 when it was used to target both Windows and Linux devices.
It was the first malware linked to the Lazarus group that targets Linux systems.
Malwarebytes researchers observed the Mac version of Dacls being distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers.
“We recently identified what we believe is a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea’s Lazarus group, designed specifically for the Mac operating system.” reads the analysis published by the researchers.
On April 8th, threat actors submitted to VirusTotal a suspicious Mac application named “TinkaOTP,” the malicious code was uploaded from Hong Kong and none of the engines was able to detected it at the time.
Both Linux and Mac variants implement a variety of features including command execution, file management, traffic proxying, and worm scanning.
The Dacls RAT achieves persistence through LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot. Experts pointed out that LaunchAgents run code on behalf of the logged-in user while LaunchDaemon run code as root user.
The Mac version uses the same AES key and IV as the Linux variant to encrypt and decrypt the config file.
Upon the initialization, the main loop is executed to upload C2 server information from the config file to the server, download the config file contents from the server and update the config file, upload collected information from the victim’s machine by calling “getbasicinfo” function, send heartbeat information.
The malware has seven plugins, six of them are the same discovered in the Linux variant (CMD – receives and executes commands; file – can read, delete, download and search files; process – can kill, run, and get process IDs; test – checks the connection to an IP and port; RP2P – proxy server; LogSend – checks connection to the log server, scans network, and executes long run system commands), while the seventh one named SOCKS is used to proxy network traffic from the victim to the C&C server.
The Mac RAT implements a C&C communication similar to the Linux variant.
Like the Linux variant, the backdoor communicates with the C&C using a TLS connection and encrypts data using the RC4 algorithm.
“Both Mac and Linux variants use the WolfSSL library for SSL communications. WolfSSL is an open-source implementation of TLS in C that supports multiple platforms. This library has been used by several threat actors.” continues the report.
Additional technical details, such as IoCs, are included in the report published by Malwarebytes.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Dacls RAT, hacking)
Expert Reaction On Millions of LiveAuctioneers Passwords for Sale
Researchers at CloudSEK claim to have found evidence of the sale of a database containing 3.4 million users of online art and antique auction website.
Security firm G4S fined by Serious Fraud Office
Security firm G4S has been fined £44m by the Serious Fraud Office (SFO) as part of an agreement that will see it avoid prosecution for overcharging the Ministry of Justice for the electronic tagging of offenders, some of whom had died.
The SFO said G4S had accepted responsibility for three counts of fraud that were carried out in an effort to “dishonestly mislead” the government, in order to boost its profits.
Source: The Guardian
Highly-Critical SAP bug that could let attackers take over corporate servers patched
SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to take control of SAP applications.
The bug, dubbed RECON and tracked as CVE-2020-6287, is rated with a maximum CVSS score of 10 out of 10, potentially affecting over 40,000 SAP customers, according to cybersecurity firm Onapsis, which uncovered the flaw.
Source: The Hacker News
Facebook uses Amazon EC2 to evaluate the Deepfake Detection Challenge
4 BIG Changes For In Death: Unchained
4 Big Changes In Death: Unchained Going From PC To Quest
Wireless aquatic robot could clean water and transport cells
Superhot Dev Continuing To Experiment With VR, But New Game Skips Support
Robot jaws shows medicated chewing gum could be the future
Chomp Down On Sharks Of Mars: Prologue, Available Now For Rift, Steam Soon
Educational Tool HistoryMaker VR Steps Onto Steam in August
PSVR Exclusive Iron Man VR Hangs Onto Top 10 In UK Sales Charts
2021 Ford Bronco First Edition reservations sell out, Bronco website overwhelmed
2021 Ford Bronco Sport vs Jeep Cherokee, Compass Trailhawks | How they compare on paper
Firmament’s 2020 Launch ‘Wildly Optimistic’, now Expected in 2022
Royal Bank of Scotland’s Tyl Contactless Payment Service Reports Solid Uptake
The mother Korean Air’s infamous ‘nut rage’ executive was convicted of assaulting her chauffeur
Square Announces Acquisition of Operations Management Platform Stitch Labs
BANK OF AMERICA: Buy these 7 pharma stocks now as they race to develop COVID-19 treatments and vaccines
2021 Ford Bronco trim breakdown | All seven trims and how they differ
The Canadian biotech Medicago is betting it can make a coronavirus vaccine out of plants, and it just started testing it in humans
6 in 10 US workers support going back to in-person learning in the fall, but a lot of people are worried schools aren’t ready
Under Thomas Kurian, Google Cloud is announcing some heavyweight enterprise customers and it’s a good sign for his ultimate ambitions (GOOG, GOOGL)
Update: Snowball Money Hits $600,000 Maximum Funding Goal Reached on Republic
Fintech in Need of Finance? Report States COVID-19 May Necessitate £825 Million in New Financing
Delta posts second-quarter net loss of $5.7 billion, biggest in more than a decade, driven by coronavirus
Coronavirus updates: Hong Kong grapples with new cluster; U.K. study says immunity may wane after two months
Citigroup is set to report second-quarter earnings. Here’s what Wall Street expects
JPMorgan shares jump after record trading revenue drives stronger-than-expected second quarter profit
Amazon is rolling out grocery carts that let shoppers skip checkout lines, bag their groceries and walk out
VC Funding – Outlook Bumpy, But Some Optimism
Pricefx raises $65M Series C for its cloud-based pricing software
UofL and Penn State bring immersion to education
Liteboxer, the Peloton for boxing, enters the ring
Valor Equity Partners passes $1bn in fifth flagship fundraise
India’s Flipkart secures $1.2 billion from Walmart and other shareholders
Here’s a breakdown of Delta’s Q2 earnings results
Here’s a breakdown JPMorgan’s Q2 earnings results
UK Fintech Lanistar Secures £15 Million in Additional Capital to Support Upcoming Launch this Year
Align Capital follows $450m Fund II close with deal for PE-backed-business advisory firm WilliamsMarston
Expert Reaction On Millions of LiveAuctioneers Passwords for Sale
News outlets will digitally watermark content to limit misinformation
Stock futures rise ahead of big bank earnings
Start Ups1 week ago
Elon Musk tweeted a meme of “7 Things Every Kid Needs to Hear”
Business Insider1 week ago
A 36-year-old business owner saw her pandemic sales skyrocket without spending a dime on marketing. Here’s how she tweaked her Etsy shop and used word-of-mouth power to keep revenues high.
Gaming6 days ago
Where to farm Savathun’s Marionettes – Destiny 2
Publications6 days ago
Mary Kay Letourneau: Teacher who married boy she raped dies at 58
Publications1 week ago
Bank of America identifies 3 indicators that could make or break the stock market this summer â and warns they’re all deteriorating fast
Gaming5 days ago
Twitch streamer Ohlana has died by suicide at age 26
Esports7 days ago
Kilo vs M13 Warzone: Which is Better?
Esports7 days ago
Lillia, League of Legends new champion, full reveal