Experts at Qihoo 360 Netlab revealed that the North-Korea Lazarus APT group used a new Remote Access Trojan (RAT), dubbed Dacls, to target both Windows and Linux devices.
The activity of the Lazarus APT group (aka HIDDEN COBRA) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
Dacls is the first malware linked to the Lazarus group that targets Linux systems.
“At present, the industry has never disclosed the Lazarus Group’s attack samples and cases against the Linux platform. And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group.” reads the analysis published by Qihoo 360 Netlab.
“At present, the industry has never disclosed the Lazarus Group’s attack samples and cases against the Linux platform.”
The experts found evidence that links the Dacls RAT to the Lazarus Group hackers, for example, the download server ‘
The name Dacls comes from its file name and the hard-coded strings, the malware has a modular structure that could extend its capabilities by loading plugins. In the attacks against Windows systems, the RAT dynamically loads plug-ins remotely on compromised Windows servers, while the Linux version compiles the plugin directly in the bot program.
The main functions implemented by the Linux
The command and control protocol uses TLS and RC4 double-layer encryption, Dacls uses AES to encrypt configuration file and supports C2 instruction dynamic update.
The experts discovered several samples of both Windows and Linux Dacls on the server:
The RAT leverages a reverse P2P plug-in as a C2 Connection Proxy.
“The Reverse P2P plug-in is actually a C2 Connection Proxy, it
“With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden.”
The Qihoo 360 Netlab researchers recommend Confluence users to patch their
Additional technical details, including a list of indicators of compromise (IOCs) are reported in the analysis published by the experts.