Dacls RAT, the first Lazarus malware that targets Linux devices

Researchers spotted a new Remote Access Trojan (RAT), dubbed Dacls, that was used by the Lazarus APT group to target both Windows and Linux devices.

Experts at Qihoo 360 Netlab revealed that the North-Korea Lazarus APT group used a new Remote Access Trojan (RAT), dubbed Dacls, to target both Windows and Linux devices.

The activity of the Lazarus APT group (aka HIDDEN COBRA) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Dacls is the first malware linked to the Lazarus group that targets Linux systems.

“At present, the industry has never disclosed the Lazarus Group’s attack samples and cases against the Linux platform. And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group.” reads the analysis published by Qihoo 360 Netlab.

“At present, the industry has never disclosed the Lazarus Group’s attack samples and cases against the Linux platform.”

The experts found evidence that links the Dacls RAT to the Lazarus Group hackers, for example, the download server ‘thevagabondsatchel[.]com‘ was involved in past campaigns of the Lazarus APT.

The name Dacls comes from its file name and the hard-coded strings, the malware has a modular structure that could extend its capabilities by loading plugins. In the attacks against Windows systems, the RAT dynamically loads plug-ins remotely on compromised Windows servers, while the Linux version compiles the plugin directly in the bot program.

The main functions implemented by the Linux.Dacls Bot include command execution, file management, process management, test network access, C2 connection agent, and network scanning.

The command and control protocol uses TLS and RC4 double-layer encryption, Dacls uses AES to encrypt configuration file and supports C2 instruction dynamic update.

The experts discovered several samples of both Windows and Linux Dacls on the server:

http://www.areac-agr[.]com/cms/wp-content/uploads/2015/12/

along with a working exploit for the Atlassian Confluence (CVE-2019-3396) that was likely used by the Lazarus APT to spread the Dacls RAT.

The RAT leverages a reverse P2P plug-in as a C2 Connection Proxy.

“The Reverse P2P plug-in is actually a C2 Connection Proxy, it
directs network traffic between bots and C2 to avoid direct connections to their infrastructure. This is a common used technique by the Lazarus Group.” continues the analysis.

“With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden.”

The Qihoo 360 Netlab researchers recommend Confluence users to patch their system as soon as possible to avoid Dacls infections.

Additional technical details, including a list of indicators of compromise (IOCs) are reported in the analysis published by the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Dacls RAT, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]