{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tinkaotp.app/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2019-3396"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TinkaOTP.app","Confluence Data Center"],"_cs_severities":["high"],"_cs_tags":["macos","rat","lazarus group"],"_cs_type":"threat","_cs_vendors":["Apple","Atlassian"],"content_html":"\u003cp\u003eThe Lazarus Group, a North Korean APT, is actively distributing a new variant of the Dacls RAT targeting macOS systems. This malware is delivered via a trojanized application named TinkaOTP.app, mimicking previous social engineering tactics employed by the group. Discovered in May 2020, the macOS variant of Dacls RAT shares similarities with its Windows/Linux counterparts, suggesting a cross-platform campaign. Upon execution, the malware installs a hidden executable in the user\u0026rsquo;s Library directory and attempts to establish persistence as a launch agent. The macOS variant exhibits a failed persistence mechanism due to a directory check bug. Researchers speculate potential exploitation of CVE-2019-3396, a Confluence vulnerability, aligning with findings alongside the Windows/Linux version. The Lazarus Group continues to evolve its macOS malware, necessitating proactive detection and response measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user downloads and mounts the malicious TinkaOTP.dmg disk image.\u003c/li\u003e\n\u003cli\u003eThe user executes the TinkaOTP.app application.\u003c/li\u003e\n\u003cli\u003eTinkaOTP.app executes \u003ccode\u003e/bin/cp\u003c/code\u003e to copy \u003ccode\u003e/Volumes/TinkaOTP/TinkaOTP.app/Contents/Resources/Base.lproj/SubMenu.nib\u003c/code\u003e to \u003ccode\u003e~/Library/.mina\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eTinkaOTP.app executes \u003ccode\u003echmod +x ~/Library/.mina\u003c/code\u003e to set the executable bit on the copied file.\u003c/li\u003e\n\u003cli\u003eTinkaOTP.app executes the copied file \u003ccode\u003e~/Library/.mina\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e~/Library/.mina\u003c/code\u003e attempts to create a launch agent file at \u003ccode\u003e/Library/LaunchAgents/com.aex.lop.agent.plist\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe persistence attempt fails because the \u003ccode\u003e/Library/LaunchAgents\u003c/code\u003e directory does not exist by default.\u003c/li\u003e\n\u003cli\u003eThe RAT establishes command and control with its operators (details not available in source).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the installation of a remote access trojan (RAT) on the victim\u0026rsquo;s macOS system, granting the Lazarus Group unauthorized access. The malware can potentially exfiltrate sensitive data, execute arbitrary commands, and perform other malicious activities. The scope of targeting is currently unknown, but the Lazarus Group has historically targeted financial institutions and cryptocurrency exchanges. The failed persistence mechanism in this variant might limit the long-term impact unless other persistence methods are employed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for executions of \u003ccode\u003e/bin/cp\u003c/code\u003e copying files to the user\u0026rsquo;s Library directory, especially with the destination \u003ccode\u003e.mina\u003c/code\u003e, using the \u0026ldquo;Detect Dacls RAT Installation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for executions of the hidden executable \u003ccode\u003e~/Library/.mina\u003c/code\u003e using the \u0026ldquo;Detect Dacls RAT Executable\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network connections from non-standard applications to external IPs (requires further analysis to build a rule for this specific threat).\u003c/li\u003e\n\u003cli\u003eBlock the identified malicious file hashes (SHA256) from the IOC list at the network and endpoint levels.\u003c/li\u003e\n\u003cli\u003eIf running Atlassian Confluence, patch CVE-2019-3396 to prevent potential initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T17:30:00Z","date_published":"2024-01-23T17:30:00Z","id":"/briefs/2024-01-dacls-macos/","summary":"The Lazarus Group is distributing a new variant of the Dacls RAT targeting macOS systems via a trojanized application, installing a hidden executable and attempting persistence.","title":"Lazarus Group's Dacls RAT Targets macOS","url":"https://feed.craftedsignal.io/briefs/2024-01-dacls-macos/"}],"language":"en","title":"CraftedSignal Threat Feed — TinkaOTP.app","version":"https://jsonfeed.org/version/1.1"}