Malware in Mac-OS Two-Factor Authentication App “MinaOTP”


Mac-OS Two-Factor Authentication App “MinaOTP” attacked by the infamous Lazarus group to spread a malware

The Chinese famous 2FA app “MinaOTP” is affected by a Malware called “Dacls”. As per, Researchers from Malwarebytes have spotted a Malware in the 2FA app which is attacked by Lazarus Group. The Lazarus group is a group of hackers that are believed to be formed in 2009. The famous group is said to be originated in North Korea.

The Malware used by the Lazarus group is basically a trojan named ‘Dacls’. The Malware used to gain remote access to your files which include executing commands, managing the system’s files, managing the system’s processes, traffic proxying, and worm scanning.

Once it collects the information, it connects to its C2 server via a TLS connection, “performs beaconing”, encrypts the data, and then transfers it on SSL “using the RC4 algorithm.”

The researchers stated in their blog post, “This RAT persists through LaunchDaemons or LaunchAgents which take a property list (plist) file that specifies the application that needs to be executed after reboot. The difference between LaunchAgents and LaunchDaemons is that LaunchAgents run code on behalf of the logged-in user while LaunchDaemon runs code as a root user.

The malicious bot executable malware is located in the “Contents/Resources/Base.lproj/” directory of the application and pretends to be a nib file (“SubMenu.nib”) while it’s a Mac executable file. It contained the strings “c_2910.cls” and “k_3872.cls” which are the names of certificate and private key files that had been previously observed.

This Mac RAT has all the six plugins seen in the Linux variant with an additional plugin named “SOCKS”. This new plugin is used to proxy network traffic from the victim to the C&C server.

The app loads all the seven plugins at the start of the main loop. Each plugin has its own configuration section in the config file which will be loaded at the initialization of the plugin.

[Image Source: Malwarebytes]

We suggest you block the app if you owe a macOS and have installed the app. Follow Android Rookies for the future update on this.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments