According to a new report posted today, DPRK-linked Lazarus Group hides new malware variant in security apps for macOS.
North Korean News, with offices in DC, London and Seoul, reports that "One of the most prolific hacking groups linked to North Korea appears to be targeting Apple users with new malware previously only found on Windows and Linux, researchers warned Wednesday.
Security firm Malwarebytes Labs discovered the variant in a macOS application used to generate temporary access codes for Two-Factor-Authentication, the company explained in a report.
The application called "MinaOTP," which the researchers attributed to the Lazarus Group, seemed to be targeting victims in China and contained code that allowed attackers to gain control of the infected computer.
Once in control, attackers are able to launch additional software as well as upload, download, read, write, or delete files on the device.
Researchers identified the code used in the application as “Dacls,” a remote access trojan (RAT) discovered by Chinese security firm Qihoo 360 Netlab in December 2019.
Malwarebytes Lab first noticed the new variant of this RAT in early April hidden in another Two-Factor-Authenticator distributed as “TinkaOTP.”
In all cases, researchers attributed the attack to Lazarus Group, a cybercrime collective active since at least 2009.
Malwarebytes Labs explained: "The group is known to be one of the most sophisticated actors, capable of making custom malware to target different platforms. The discovery of this Mac RAT shows that this APT group is constantly developing its malware toolset."
While it’s not clear how the attackers lured victims into installing the malicious application, researchers indicated in their report that it has been developed as an open source project on the software development platform Github.
The project was created by a single contributor and saw an initial release as early as August 2018, NK News research showed. For more on this read the full NK News report.
For the more geekier side of this report, check out the full and original report by Malwarebytes Labs titled "New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app."