North Korean hackers infect real 2FA app to compromise Macs

Hackers have hidden malware in a legitimate two-factor authentication (2FA) app for macOS to distribute Dacls, a remote access trojan associated with the North Korean Lazarus group.

Dacls has been used to target Windows and Linux platforms and the recently discovered RAT variant for macOS borrows from them much of the functionality and code.

Setting persistence

The threat actor planted the malware in the freely available MinaOTP application that is prevalent among Chinese users. A sample of its weaponized version with the name TinkaOTP was uploaded from Hong Kong last month to the VirusTotal scanning service.

At that time, on April 8, it passed undetected, say malware analysts from Malwarebytes in a report this week. Currently, the malicious file is spotted by 23 out of 59 antivirus engines.

The malware executes after rebooting the system as it is added to the property list (plist) file used by LaunchDaemons and LaunchAgents to run applications at startup.

Same RAT, different OS

Connections with the Dacls for Windows and Linux are evident. The researchers discovered in the macOS variant that the names for the certificate and private file - “c_2910.cls” and “k_3872.Cls” - are the same across all three operating systems.

Further evidence to the common root is given by the configuration file of the malware, which is encrypted with the same AES key and initialization vector seen in Dacls RAT for Linux.

Going deeper, the researchers found that six of the seven plugins in the macOS sample are also present in the Linux variant. The novelty is the Socks module that starts a proxy between the malware and the C2 infrastructure.

Researchers at Qihoo 360’s Netlab detailed the functions of the six plugins in analysis published in mid-December 2019. These are used for the following purposes:

• CMD/Bash plugin - receiving and executing C2 commands
• File plugin - file management (read, write, delete, download from specific server, search); write function is not supported in the Dacls for macOS
• Process plugin - process management (kill, run, get process ID, enumerate)
• Test plugin - same code in both macOS and Linux versions, tests connection to an IP address and port specified by C2
• RP2P (reverse peer-to-peer) plugin - proxy server between C2 and the infected system
• LogSend plugin - checks connection to Log server, scans network on ports 8291 or 8292, executes system commands that take a long time

The connection to the C2 server relies on the open-source WolfSSL library for secure communication, which is used by multiple threat actors.

Slipping malware into legitimate applications for macOS is not a first for the Lazarus group. A report in 2018 from Kaspersky revealed that the hackers had trojanized an installer for a cryptocurrency trading platform.

In September 2019, malware researchers analyzed a trading app for macOS that packed malware for stealing user information. Fast forward to December, a new macOS malware from Lazarus and using the same tactic emerged on the public radar.

Comments are closed.