Data Security

Hackers infect authentic 2FA app to infect Mac devices with malware

It is believed that the infamous Lazarus group is behind this malware.

Many cybercrime groups over the years have made a name for themselves owing to their consistency and determination in conducting attacks. One such group is Lazarus, believed to be from North Korea and operating since 2009.

Today, researchers from Malwarebytes Labs have come across another attack from the infamous group in which they have slipped in a piece of malware in a macOS based 2FA app named MinaOTP. The app happened to be popular with Chinese users.

The purpose of the malware is to spread a trojan named Dacls that can be used by the attackers to gain remote access. The functions it can perform include executing commands, managing the system’s files, managing the system’s processes, traffic proxying, and worm scanning.




Once it collects the information, it connects to its C2 server via a TLS connection, “performs beaconing”, encrypts the data, and then transfers it on SSL “using the RC4 algorithm.”

The discovery came when a month ago on the 8th of April, an unknown entity submitted a Mac application by the name of “TinkaOTP” on VirusTotal from Hong Kong. The application which is a sample of the actual app is currently detectable on only 23/59 antivirus programs pointing to the fact that users may be very much vulnerable out there.

Commenting on how it works and carries out its execution, the researchers stated in their blog post that,

This RAT persists through LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot. The difference between LaunchAgents and LaunchDaemons is that LaunchAgents run code on behalf of the logged-in user while LaunchDaemon run code as root user.

For those who follow the cybersecurity world closely would know that a trojan by the same name exists for Windows and Linux, which happens to be from this same group with this new one being a variant. How we know this is from the analysis conducted by researchers which revealed that the names of the following 2 files were the same in the trojan for all 3 operating systems:

  • c_2910.cls – the certificate file
  • k_3872.Cls – the private file

Additionally, plugins are contained within all the versions to initiate different processes. A look at the macOS variant revealed that six out of 7 plugins were the same as the Linux one:

The new one is the SOCKS plugin which is used to connect the malware itself and the C2 server through a proxy.

To conclude, this is not the first time this group has attacked macOS. Therefore, we as users can take simple precautions on our end like installing a reputable antivirus program, downloading files along with scanning them for any malware with reliable anti-virus software, and checking their hashes to verify their originality.

You can also follow these 11 easy tips to secure your Mac against hackers. Such measures can help to a greater extent even if they may not work all the time seeing that literally everything is hackable.

Such measures can help to a greater extent even if they may not work all the time seeing that literally everything is hackable.

To Top

Pin It on Pinterest

Share This