New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
2020-05-06 • Malwarebytes •
Malwarebytes analyzed a macOS variant of the Dacls RAT that it associates with Lazarus/Hidden Cobra/APT38 and detects as OSX-DaclsRAT. One observed variant downloaded a payload from loneeaglerecords[.]com into ~/Library/.mina, while related samples shared beaconing command codes with Linux.dacls. The Mac RAT established TLS communications using WolfSSL and encrypted data over SSL with RC4 generated from a hardcoded key. The added Socks plugin acted as a Socks4 proxy between the bot and C2 infrastructure and included a worm-scanning function for subnets on ports 8291 and 8292, showing continued cross-platform tool development.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 67.43.239.146 | 2020-05-05 | 2023-01-18 |
| IPv4 | 185.62.58.207 | 2020-05-05 | 2023-01-18 |
| HASH | 899e66ede95686a06394f707dd09b7c… | 2020-05-06 | 2020-07-27 |
| URL | https://loneeaglerecords.com/wp… | 2020-05-06 | 2020-07-27 |
| DOMAIN | loneeaglerecords.com | 2020-05-06 | 2020-07-27 |
| HASH | 216a83e54cac48a75b7e071d0262d98… | 2020-05-06 | 2020-05-06 |
| HASH | d3235a29d254d0b73ff8b5445c962cd… | 2020-05-06 | 2020-05-06 |
| HASH | 846d8647d27a0d729df40b13a644f3b… | 2020-05-06 | 2020-05-06 |
| IPv4 | 50.87.144.227 | 2020-05-06 | 2020-05-06 |