New Larazus Group Dacls Malware targets Linux, Windows Devices

By Brandon Adcock, Avertium CyberOps Analyst

Dacls Overview

A new RAT malware dubbed Dacls has been identified by security researchers. Connected to the Lazarus Group, an entity known for hacking Sony Films in late 2014 and for the global WannaCry outbreak in 2017, the Dacls Remote Access Trojan (RAT) infects devices running Windows OS, MAC OS, and those running on Linux. The Dacls RAT has a build for the first two operating systems and a different build for Linux. It is highly modular with different ways of deploying those modules based on the infected host’s environment.

Tactics, Techniques, and Procedures

The Dacls malware is built to either come precompiled with all the modules required when infecting Linux hosts or by downloading the modules as needed during the early infection stages when infecting Windows hosts. The modules are downloaded over TLS (port 443) with two layers of RC4 encryption. The configuration file is downloaded first with file encryption performed via AES encryption. The Dacls RAT has plug-and-play modules allowing for major feature changes to occur dynamically to adapt to evolving scenarios.

Sample Dacls Modules Capabilities:

Process Handling – Kill, start, or inject into processes

IP Test – Test whether a specified IP address can be reached

Command Execution – Executes a command sent by the Command & Control servers

File Handling – Delete, create, or modify files on the system

C2 Download – Downloads files on new instructions from the Command & Control servers

Port Scan – Scans for hosts on the network with open TCP 8291 ports (likely targeting MikroTik routers).

Dacls RAT beacons out and identifies the infected machine based on the host information collected (IP address, Computer/System name, etc.).

The current builds of Dacls use the vulnerability exploitation module to target systems vulnerable to CVE-2019-3396, a bug affecting devices running the Confluence software. This vulnerability allows bad actors to exploit the widget connector to achieve a state of path traversal or remote code execution. The bad actors have created a module with working code to exploit this vulnerability and have hosted it on one of their C2 servers.

Dacls on Linux

Dacls infects Linux systems in a different way. It has separate configuration files for each of the modules which are stored in the user’s home directory (/home/(user)/.memcache). The malware initially is installed in the /tmp directory and starts running from there before gaining persistence in other core system directories. The file module has an additional function beyond file management with the ability to use the find command. Most of the processes created/handled by the malware are daemon processes. There’s a reverse P2P plugin (exclusive to the Linux version) that allows for proxied connections between the infected host and malicious infrastructure.

The RC4 implementation is based on a key generated by the malware using randomized key lengths between zero and 50. The tables created in the code are largely dependent on the key values specified when the symmetric key pair is generated.

Threat Impact

• May lead to unwanted system changes and the further infection of core infrastructure components
• Could result in the compromise of any MikroTik routers in your environment which may put any hosts connected to it at risk
• Could result in the spread of malware through the command execution module which may download more threats at the nation-state level

Recommendations

• Consider implementing blocks on the IOCs (Indicators of Compromise) listed below
• Monitor connections to TCP Port 8291 coming from both internal and external hosts
• If you don’t have MikroTik routers, block access to TCP Port 8291 internally and externally at the firewall
• Ensure that Confluence servers and MikroTik routers are up to date in your environment
• Utilize strong system monitoring on edge node devices using a robust logging setup and pipe those logs into your SIEM device
• Use security appliances with strong DMZ parameters and IDS/IPS capabilities to protect external-facing nodes
• Use FIM (File Integrity Monitoring) and strong system process monitoring to help alert your security personnel to any unexpected changes

Sources

• IBM X-Force Exchange Post
• Netlab 360 Blog Post
• Bleeping Computer Article
• AlienVault OTX IOC List
• About Threat Actor
• About Vulnerability (CVE-2019-3396)

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities.