Lazarus leverages Dacls Trojan to infect Windows and Linux systems


Researchers discovered a fully functional Remote Access Trojan operated by Lazarus hacking group

Lazarus uses Dacls RAT on Windows and Linux

Security experts from Netlab 360 have uncovered[1] a new Remote Access Trojan (RAT) used on Linux and Windows operating systems – currently being used in the wild by exploiting a known code execution vulnerability. Dubbed Dacls, the malware was in use since at least May this year and is attributed to the North Korean advanced persistent threat group Lazarus, also known as Hidden Cobra, Guardians of Peace, or Zinc.

Netlab 360 researchers have found a suspicious .ELF file in at the end of October, and initially thought that it is a part of a malicious unknown botnet. However, a further investigation proved connections to the Lazarus APT:[2]

On October 25, 2019, a suspicious ELF file (80c0efb9e129f7f9b05a783df6959812) was flagged by our new threat monitoring system. At first glance, it seems to be just another one of the regular botnets, but we soon realized this is something with potential link to the Lazarus Group.

Lazarus hacking group is believed to be funded by the North Korean government and is responsible for such high-profile attacks like Sony’s Operation Blockbuster in 2014,[3] as well as a global outbreak of WannaCry ransomware[4] infections in 2017. Although the APT is known to be leveraging already established malware like Trickbot or Mimikatz, it is also capable of creating its own RATs, as in the case with Dacls.

Dacls RAT abuses the code execution flaw CVE-2019-3396 in Atlassian Confluence server

Lazarus is known to target both, Windows and macOS systems, Dacls RAT is the first malware that has been utilized for Linux attacks. Netlab 360 spotted key characteristics within the malware sample that was relevant to the APT, although the initial scans showed that merely two AV vendors on Virus Total only recognized the sample. One of the main indicators that pointed experts to Lazarus was the download server thevagabondsatchel[.]com, which was commonly used by the group in previous attacks.[5]

While the detection rate grew rapidly (at the time of the writing, over 40 engines detect the malicious file), all the vendors still mark malware as “Generic.” Netlab 360 managed to get five samples of Dacls Trojan and produced an extensive report about the threat. Previously, multiple infosec community members managed to find samples of the RAT in the wild – Raeezabdulla at Virus Total, @cyberwar_15 on Twitter, and others.

According to research, it is believed that a remote code execution flaw CVE-2019-3396[6] is being used as the main attack vector and affects systems that run the Widget Connector macro in Atlassian Confluence Server versions 6.6.12 and below. 

Dacls is a remote control software packed with various modules

Dacls is a modular malware, so it uses different components to support its functionality. In Windows, Plugins are loaded remotely, while Linux incorporates all the plugins it requires through its bot component. The full list of malware functions includes:

  • command execution
  • file management
  • process management
  • test network access
  • C2 connection agent
  • network scanning module.

As soon as malware is loaded, it will connect to its C2 server – it uses TLS and RC4 double-layer encryption while communicating with it. Additionally, Dacls uses AES to encrypt files that are used for malware’s configuration settings. Once established, RAT is capable of performing a variety of malicious activities on the compromised servers, including stealing sensitive information, importing and deleting files, stopping processes, accessing Log server, obtaining PID and PPID reports, and much more.

Because Netlab 360 experts believe that the malware is spread via an already patched vulnerability, businesses and organizations that use The Widget Connector macro in Atlassian Confluence Server versions below 6.6.12 should immediately update to mitigate possible attacks.