The hackers hid the malware in a legitimate application with two-factor authentication (2FA) so that MacOS could spread Dacls, a remotely accessible Trojan horse connected to the North Korean Lazarus group.
Dacls has been used on both Windows and Linux platforms, and the recently discovered RAT variant for macros contains most of its functions and code.
Fixing the constancy
The threat actor implemented a malware in a MinaOTP application that is freely available and distributed to Chinese users. An example of the weapon version called TinkaOTP was uploaded to the VirusTotal testing service from Hong Kong last month.
Then, on the 8th. April, it went unnoticed, malware analysts say in a report this week. Currently, the malicious file is detected by 23 of the 59 antivirus engines.
The malware starts after rebooting the system, as it is added to the property list file (plist) used by LaunchDaemons and LaunchAgents to run applications on boot.
The difference between LaunchAgents and LaunchDaemons is that LaunchAgents runs the code as a registered user, while LaunchDaemon runs the code as root – a malicious catch.
Same RAT, different control system
The links with dacls for Windows and Linux are obvious. The researchers found in the MacOS variant that the certificate and the private filenames – c_2910.cls and k_3872.Cls – are the same for all three operating systems.
Another proof of the existence of a common root is the malware configuration file, which is encrypted with the same AES key and initialization vector used in Dacl’s RAT for Linux.
On closer inspection, the researchers found that six of the seven plug-ins in the MacOS example are also present in the Linux version. The Socks module, which starts a proxy between the malware and the C2 infrastructure, is new.
Netlab Qihoo 360 researchers described the functions of the six plug-ins in detail in an analysis published in mid-December 2019. They shall be used for the following purposes :
- CMD/Bash plugin – receiving and executing C2 commands
- file plugin – file management (read, write, delete, start from a specific server, search); write function is not supported in dacls for macros
- Process Plugin – process control (kill, start, get process ID, list).
- Test Plug-in – the same code in MacOS and Linux versions, test connection to the IP address and port specified in C2.
- RP2P (Reverse Peer-to-Peer) plug-in – proxy server between C2 and the infected system.
- LogSend plug-in – checks the connection to the log server, scans the network for ports 8291 or 8292, executes time-consuming system commands.
The connection to the C2 server is based on the open source WolfSSL library for secure communication, which is used by various threat actors.
This is not the first time the Lazarus Group has seen malware infiltrating legitimate macro applications. Kaspersky’s 2018 report showed that hackers had trivialized the program to install the cryptographic currency trading platform.
In September 2019, malware researchers analyzed a commercial macro application containing malware to steal user information. In December, a new malware for Lazarus’ MacOS quickly appeared on public radar with the same tactics.