Lazarus Group is a highly notorious North Korea’s state-backed hacker group that is popular for authoring 2017’s WannaCry ransomware attack that affected as many as 300,000 computers all over the world. Now, the group has launched a new Remote Access Trojan (RAT) malware called Dacls affecting both Windows and Linux devices.
Spotted by researchers at Qihoo 360 Netlab, Dacls is the first Linux malware by Lazarus group as the group has previously targeted only Windows and macOS devices.
According to security researchers, “At present, the industry has never disclosed the Lazarus Group’s attack samples and cases against the Linux platform.”
The reason why Dacls has been linked to the Lazarus group is thevagabondsatchel.com download server that was in several previous campaigns of the APT (Advanced Persistent Threat) group.
As per security researchers, Dacls can dynamically load plug-ins remotely on affected Windows servers, whereas its Linux version contains all the plug-ins it needs to attack within the bot component.
The malware secures its command and control communication channels using TLS and RC4 double-layer encryption. It deploys the AES encryption technique to encrypt its configuration files.
Dacls exploits the CVE-2019-3396 RCE bug that affects Atlassian Confluence Server installations.
With the help of its plug-ins, Dacls can receive and execute C2 commands, download additional data from the C2 server, perform network connectivity testing, scan random networks on 8291 port, and much more. You can read about all the capabilities of this malware in this report by Qihoo 360 Netlab.
The report reads, “We are not sure why TCP 8291 is targeted, but we know that the Winbox protocol of the MikroTik Router device works on TCP / 8291 port and is exposed on the Internet.”
If Dacls malware affects an intranet host, it can further attack the isolated segment, which makes it a threat for organizations.
Security researchers from Qihoo 360 Netlab have advised Confluence users to update their systems to evade the Dacls RAT.