Researchers discovered a previously unknown fully functional Remote Access Trojan called “Dacls” from infamous Lazarus APT hackers group to attack Linux and Windows Platform.
This is the first time security industry seen Malware from the Lazarus group to attacker Linux platform, and there were only 2 antivirus engines was detected in the suspicious ELF file sample.
Lazarus group involved various cyber-attack that GBHackers reported in the past, and its already targeted several financial organizations around the world using various advanced tools and techniques.
Threat actors developed this new type of remote access Trojan with the full functionality to infect both Windows and Linux and the researchers named it as Win32.Dacls and Linux.Dacls.
Win32.Dacls plug-in module is dynamically loaded through a remote URL ad the Linux.Dacls using 6 different plug-in modules that include, execute commands, file management, process management, test network access, C2 connection agent, network scan.
Connection With Lazarus Group
Researchers from NetLab360 observed a hard-coded string features c_2910.cls and k_3872.cls from the collected sample from telemetry data and confirm that these samples from the same code and C2 code are the same instruction set that used in the RAT procedure and also suitable for both Windows and Linux.
A sample(Win32.Dacls ) that distributed to attack windows machine downloaded from https://thevagabondsatchel.com/wp-content/uploads/2019/03/wm64.avi, which has already marked by virus total community as the sample associated with as the Lazarus Group.
According to NetLab360 ” we linked to another NukeSped sample through this download address
b578ccf307d55d3267f98349e20ecff1, and its download address is
http://thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi. In October 2019, this sample of
b578ccf307d55d3267f98349e20ecff1NukeSped was tagged by Twitter user @ cyberwar_15 as Lazarus Group. “
Attackers dropping the series of samples from the C2 server and the sample includes Win32.Dacls and Linux.Dacls, the open source program Socat, and Confluence CVE-2019-3396 Payload.
Researchers also confirmed that the Lazarus Group used the CVE-2019-3396 N-day vulnerability to spread the Dacls Bot program.
Dacls cross-platform RAT and its C2 protocol use TLS and RC4 double-layer encryption, the configuration file uses AES encryption and supports C2 instruction dynamic update.
Confluence users are highly recommended to keep update patches on time and also monitor and block Dacls RAT-related IPs, URLs and domain names.
Indicators of Compromise