Lazarus Group Hides macOS Spyware in 2FA Application
Lazarus Group, a cyberthreat group with known links to North Korea, has added a new variant of the Dacls remote-access trojan (RAT) that specifically targets the macOS operating system. The Dacls RAT has been created from an existing Linux version and was first discovered last December when it targeted Windows and Linux platforms. The new Mac version is now spreading via a two-factor authentication feature that has been trojanized. It appears in a 2FA application for macOS called MinaOTP.
MinaOTP is mostly used by Chinese speakers, according to analysis. Dacls can offer attackers command execution, traffic proxying, worm scanning, and file management. The malicious executable is started, it created a property list file that states the application that needs to be executed after reboot, the content of which is hardcoded within the application.