The hackers managed to insert malware into the free application MinaOTP which is especially popular with Chinese users. A sample of the malicious version, with the name TinkaOTP, was unveiled last month on the VirusTotal scan service.
According to his analysts Malwarebytes, at that time had gone unnoticed. At present, the malicious file is located on 23 of the 59 protection machines from viruses.
Malware runs after the system restarts, as it is added to the plist list file used by LaunchDaemons and LaunchAgents to run applications at startup.
An additional feature that shows that they have a common root is the malware configuration file, which is encrypted with the same AES key that appears in Dacls RAT for Linux.
The researchers They also found that six of the seven add-ons in the macOS sample also exist in the Linux variant. However, the new variant is differentiated in the Socks module that starts a proxy between malware and C2 infrastructure.
Researchers at Qihoo 360's Netlab have released more details, which you can see here.
This isn't the first time Lazarus has leaked malware to a legitimate app. systems macOS. In September 2019, security researchers analyzed a commercial application for macOS, which turned out to contain malware for stealing user information, and last December, a new malware macOS software from Lazarus used the same tactics.