Security News > 2020 > May > Lazarus Group Hides macOS Spyware in 2FA Application

Lazarus Group Hides macOS Spyware in 2FA Application
2020-05-06 21:10

Taking a closer look at the malware, the malicious Mac executable is located in "Contents/Resources/Base.lproj/" directory of the fake application and pretends to be a nib file, according to researchers at Malwarebytes, in a posting on Wednesday.

Once it starts, it creates a property list file that specifies the application that needs to be executed after reboot, and the content of the plist file is hardcoded within the application.

Each plugin has its own configuration section in the config file which will be loaded at the initialization of the plugin.

The first plugin, CMD, is similar to the "Bash" plugin in the Linux RAT, which receives and executes commands by providing a reverse shell to the C2 server, according to Malwarebytes.

The new SOCKS plugin meanwhile is "Similar to the RP2P plugin and acts as an intermediary to direct the traffic between bot and C&C infrastructure," according to the writeup.


News URL

https://threatpost.com/lazarus-macos-spyware-2fa-application/155532/