Lazarus Group's Dacls RAT Targets macOS

The Lazarus Group, a North Korean APT, is actively distributing a new variant of the Dacls RAT targeting macOS systems. This malware is delivered via a trojanized application named TinkaOTP.app, mimicking previous social engineering tactics employed by the group. Discovered in May 2020, the macOS variant of Dacls RAT shares similarities with its Windows/Linux counterparts, suggesting a cross-platform campaign. Upon execution, the malware installs a hidden executable in the user’s Library directory and attempts to establish persistence as a launch agent. The macOS variant exhibits a failed persistence mechanism due to a directory check bug. Researchers speculate potential exploitation of CVE-2019-3396, a Confluence vulnerability, aligning with findings alongside the Windows/Linux version. The Lazarus Group continues to evolve its macOS malware, necessitating proactive detection and response measures.

Attack Chain

1. The user downloads and mounts the malicious TinkaOTP.dmg disk image.
2. The user executes the TinkaOTP.app application.
3. TinkaOTP.app executes /bin/cp to copy /Volumes/TinkaOTP/TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib to ~/Library/.mina.
4. TinkaOTP.app executes chmod +x ~/Library/.mina to set the executable bit on the copied file.
5. TinkaOTP.app executes the copied file ~/Library/.mina.
6. ~/Library/.mina attempts to create a launch agent file at /Library/LaunchAgents/com.aex.lop.agent.plist.
7. The persistence attempt fails because the /Library/LaunchAgents directory does not exist by default.
8. The RAT establishes command and control with its operators (details not available in source).

Impact

Successful exploitation leads to the installation of a remote access trojan (RAT) on the victim’s macOS system, granting the Lazarus Group unauthorized access. The malware can potentially exfiltrate sensitive data, execute arbitrary commands, and perform other malicious activities. The scope of targeting is currently unknown, but the Lazarus Group has historically targeted financial institutions and cryptocurrency exchanges. The failed persistence mechanism in this variant might limit the long-term impact unless other persistence methods are employed.

Recommendation

• Monitor process creations for executions of /bin/cp copying files to the user’s Library directory, especially with the destination .mina, using the “Detect Dacls RAT Installation” Sigma rule.
• Monitor process creations for executions of the hidden executable ~/Library/.mina using the “Detect Dacls RAT Executable” Sigma rule.
• Inspect network connections from non-standard applications to external IPs (requires further analysis to build a rule for this specific threat).
• Block the identified malicious file hashes (SHA256) from the IOC list at the network and endpoint levels.
• If running Atlassian Confluence, patch CVE-2019-3396 to prevent potential initial access.