Homesecurity2FA application was infected by a variant of Dacls Trojan

2FA application was infected by a variant of Dacls Trojan


A legal 2FA application for devices MacOS, has been infected by North Koreans hackers to be able to access and install trojan Dacls, which is connected to the group Lazarus.

That said Trojan, has been used in older cases to target systems Windows and Linux. The new Dacls executive, created for macOS, borrows many of the functions of its predecessors.

The hackers managed to insert malware into the free application MinaOTP which is especially popular with Chinese users. A sample of the malicious version, with the name TinkaOTP, was unveiled last month on the VirusTotal scan service.

According to his analysts Malwarebytes, at that time had gone unnoticed. At present, the malicious file is located on 23 of the 59 protection machines from viruses.

Malware runs after the system restarts, as it is added to the plist list file used by LaunchDaemons and LaunchAgents to run applications at startup.

An additional feature that shows that they have a common root is the malware configuration file, which is encrypted with the same AES key that appears in Dacls RAT for Linux.

The researchers They also found that six of the seven add-ons in the macOS sample also exist in the Linux variant. However, the new variant is differentiated in the Socks module that starts a proxy between malware and C2 infrastructure.

Researchers at Qihoo 360's Netlab have released more details, which you can see here..

This isn't the first time Lazarus has leaked malware to a legitimate app. systems macOS. In September 2019, security researchers analyzed a commercial application for macOS, which turned out to contain malware for stealing user information, and last December, a new malware macOS software from Lazarus used the same tactics.

Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement