Lazarus APT Hackers Group Attack Linux & Windows Platform Using  Dacls RAT

Researchers discovered a previously unknown fully functional Remote Access Trojan called “Dacls” from infamous Lazarus APT hackers group to attack Linux and Windows Platform.

This is the first time security industry seen Malware from the Lazarus group to attacker Linux platform, and there were only 2 antivirus engines was detected in the suspicious ELF file sample.

Lazarus group involved various cyber-attack that GBHackers reported in the past, and its already targeted several financial organizations around the world using various advanced tools and techniques.

Threat actors developed this new type of remote access Trojan with the full functionality to infect both Windows and Linux and the researchers named it as Win32.Dacls and Linux.Dacls.

Win32.Dacls plug-in module is dynamically loaded through a remote URL ad the Linux.Dacls using 6 different plug-in modules that include, execute commands, file management, process management, test network access, C2 connection agent, network scan.

Connection With Lazarus Group

Researchers from NetLab360 observed a hard-coded string features c_2910.cls and k_3872.cls from the collected sample from telemetry data and confirm that these samples from the same code and C2 code are the same instruction set that used in the RAT procedure and also suitable for both Windows and Linux.

A sample(Win32.Dacls ) that distributed to attack windows machine downloaded from https://thevagabondsatchel.com/wp-content/uploads/2019/03/wm64.avi, which has already marked by virus total community as the sample associated with as the Lazarus Group.

According to NetLab360 ” we linked to another NukeSped sample through this download address b578ccf307d55d3267f98349e20ecff1, and its download address is http://thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi. In October 2019, this sample of b578ccf307d55d3267f98349e20ecff1NukeSped was tagged by Twitter user @ cyberwar_15 as Lazarus Group. “

Attackers dropping the series of samples from the C2 server and the sample includes Win32.Dacls and Linux.Dacls, the open source program Socat, and Confluence CVE-2019-3396 Payload.

Researchers also confirmed that the  Lazarus Group used the CVE-2019-3396 N-day vulnerability to spread the Dacls Bot program.

Dacls cross-platform RAT and its C2 protocol use TLS and RC4 double-layer encryption, the configuration file uses AES encryption and supports C2 instruction dynamic update.

Confluence users are highly recommended to keep update patches on time and also monitor and block Dacls RAT-related IPs, URLs and domain names.

Indicators of Compromise

Sample MD5

6de65fc57a4428ad7e262e980a7f6cc7
80c0efb9e129f7f9b05a783df6959812
982bf527b9fe16205fea606d1beed7fa
8910bdaaa6d3d40e9f60523d3a34f914
a99b7ef095f44cf35453465c64f0c70c
bea49839390e4f1eb3cb38d0fcaf897e
cef99063e85af8b065de0ffa9d26cb03
e883bf5fd22eb6237eb84d80bbcf2ac9

LEAVE A REPLY

Please enter your comment!
Please enter your name here