Recently, Lazarus Group Unleashes Its First Linux Malware. The Lazarus APT group has been observed to be using a new malware that goes after Linux systems. A new RAT (Remote Access Trojan) malware dubbed Dacls and connected to the Lazarus Group has been spotted by researchers while being used to target both Windows and Linux devices. While they are known for targeting both Windows [1, 2, 3] and macOS [1, 2] targets, this is the first time they are connected to malware capable of infecting and abusing Linux devices. Such malwares affects the normal and smooth functioning of the systems to the great extends. The RAT is used by North Korea’s state-backed Lazarus Group as security researchers at Qihoo 360 Netlab who discovered it speculate in their report. Lazarus Group is a highly notorious North Korea’s state-backed hacker group has launched a new Remote Access Trojan (RAT) malware
called Dacls which can affect both Linux and window devices. The malware secures its command and control communication channels using TLS and RC4 double-layer encryption. It deploys the AES(advanced encryption standard) encryption technique to encrypt its configuration files.
What is Dacls?
Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely. Research shows that this malware is tied to Lazarus Group (a group of cyber criminals), and it targets Linux and Windows operating system. Typically, cyber criminals use RATs as tools to steal sensitive, confidential information, infect systems with other malware, and so on. Either way, no RAT is harmless and it should be uninstalled as soon as possible.If used to infect systems with ransomware, Dacls could lead to financial and data loss. Banking malware and other similar malicious programs are used to steal various accounts (credentials), credit card details, and other sensitive information that could be misused to make fraudulent purchases, transactions and so on. By using Dacls RAT cyber criminals could cause their victims serious problems (data, financial loss, problems related to privacy, etc.).
The Lazarus APT group also known as the HIDDEN COBRA, is said to have surged in 2014 and 2015.
The group has been active since at least 2009 and usually used tailored malware in their attacks. Several major attacks including the WannaCry ransomware attack and the Sony Pictures hack are said to be launched by the Lazarus APT group.
The malware details:-
The Dacls RAT can perform several functions including network scanning, command execution, file management and more. It’s file name and hardcorded string have contributed to its name, ‘Dacls’.
- When launching attacks against Windows systems, this RAT remotely loads plugins dynamically. In the case of Linux systems, it compiles the plugin in the bot program.To avoid connecting to the attacker’s infrastructure, the malware has a reverse P2P plug-in that acts as a C2 Connection Proxy and routes traffic between bots and the C2 server.
Lazarus group is popular for authoring 2017’s WannaCry ransomware attack that affected as many as 300,000 computers all over the world. Now, the group has launched a new Remote Access Trojan (RAT) malware called Dacls affecting both Windows and Linux devices. Researchers at Qihoo 360 Netlab spotted it as the first Linux malware by Lazarus group as the group has previously targeted only Windows and macOS devices. “At present, the industry has never disclosed the Lazarus Group’s attack samples and cases against the Linux platform.” as security researchers said. Dacls has been linked to the Lazarus group because of thevagabondsatchel.com download server that was in several previous campaigns of the APT (Advanced Persistent Threat) group. According to the security researchers, Dacls can dynamically load plug-ins remotely on affected Windows servers, whereas its Linux version contains all the plug-ins it needs to attack within the bot component. The malware effectively secures its command and control communication channels using TLS and RC4 double-layer encryption. It deploys the AES encryption technique to encrypt its configuration files whenever needed. Dacls exploits the CVE-2019-3396 RCEbug that affects Atlassian Confluence Server installations. Dacls can receive and execute C2 commands, download additional data from the C2 server, perform network connectivity testing, scan random networks on 8291 port, and much more with the help of its plug-ins. One can read about all the capabilities of this malware in this report by Qihoo 360 Netlab. The report states, “We are not sure why TCP 8291 is targeted, but we know that the Winbox protocol of the MikroTik Router device works on TCP / 8291 port and is exposed on the Internet.” If Dacls malware(a threat for organizations) affects an intranet host, it can further attack the isolated segment. Security researchers have advised Confluence users to update their systems to evade the Dacls RAT. This threat group (also tracked as HIDDEN COBRA by the United States Intelligence Community and Zinc by Microsoft) is known for hacking Sony Films during late 2014 as part of Operation Blockbuster and for being behind the 2017 global WannaCryransomware epidemic.
- “At present, the industry has never disclosed the Lazarus Group’s attack samples and cases against the Linux platform,” the Qihoo 360 Netlab researchers state.
“And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group.”
The researchers linked the newly discovered dual-platform RAT to the Lazarus Group hackers based on the thevagabondsatchel[.]comdownload server the APT group also employed in past campaigns, as shown by open source threat intelligence data [1, 2] and malware analysis reports [1, 2]. According to the security researchers, Dacls can dynamically load plug-ins remotely on affected Windows servers, whereas its Linux version contains all the plug-ins it needs to attack within the bot component. Security researchers from Qihoo 360 Netlab have advised Confluence users to update their systems to evade the Dacls RAT.
What can users do?
Confluence users are recommended to patch their systems as soon as possible to avoid threats from the Dacls RAT. Apart from this, users can check if they’ve been already infected by the malware. The IoCs provided by researchers can also be monitored and blocked as precautionary measures.