Rewterz Threat Advisory – McAfee Multiple Security Updates
May 12, 2020Rewterz Threat Advisory – Multiple Microsoft Security Updates
May 13, 2020Rewterz Threat Advisory – McAfee Multiple Security Updates
May 12, 2020Rewterz Threat Advisory – Multiple Microsoft Security Updates
May 13, 2020Severity
High
Analysis Summary
Using a Trojanized two-factor authentication application for MacOS called MinaOTP, the Dacls malware is distributed outside traditional App Store channels. Boasting a variety of features, the latest in the malware has the ability to conduct command execution, file management, traffic proxying, and worm scanning. The bot executable resides in “Contents/Resources/Base.lproj/”, pretending to be a nib file. Previously observed certificates and private key files have also been seen with regard to this malware. Persistence is enabled through LaunchDaemons (root user driven) or LaunchAgents (logged-in user driven). The configuration file contains victim machine information. The contents are encrypted using AES with CBC. This configuration file is updated by receiving commands from the C2 server. A file plugin is also employed to read, delete, download, and search files within a directory. The Mac version, however, does not have the ability to write files. A process plugin exists for the purpose of killing, running, getting process IDs, and collecting process information. C2 connection is established via a TLS connection which then performs beaconing and encrypting the data over SSL using RC4. This variant of the Dacls RAT is associated with Lazarus, Hidden Cobra, and APT38.
Impact
- Command execution
- information theft
- Exposure of sensitive data
Indicators of Compromise
MD5
- 81f8f0526740b55fe484c42126cd8396
- f05437d510287448325bac98a1378de1
- b19984c67baee3b9274fe7d9a9073fa2
- 024e28cb5e42eb0fe813ac9892eb7cbe
SHA-256
- 899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
- 846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6
- 216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d
- d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd
SHA1
- fe83d95afce63e935dbe22aef40a164cee34f4e5
- fa3deb60b8a2eaa29a7dccf14bee6adae81f442f
- 4862e206b9a79254f3fcc556f75711c03287f1dc
- eaa2e43f075e7573c7a131e5cb4fa1ec70a90c5c
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your existing environments.