Lazarus APT Group Linked to New Dacls Malware That Targets Linux Systems

  • The Lazarus APT group has been observed to be using a new malware that goes after Linux systems.
  • This malware is a Remote Access Trojan (RAT) dubbed Dacls that can also impact Windows devices.

Lazarus APT group - A quick history

Also known as the HIDDEN COBRA, the Lazarus APT group is said to have surged in 2014 and 2015.

  • The group has been active since at least 2009 and usually used tailored malware in their attacks.
  • Several major attacks including the WannaCry ransomware attack and the Sony Pictures hack are said to be launched by the Lazarus APT group.

The newly spotted malware, Dacls, is supposedly the first malware the group has used to target Linux systems.

The malware details

The Dacls RAT can perform several functions including network scanning, command execution, file management, process management, and more.

  • Its file name and hardcoded string have contributed to its name, ‘Dacls’.
  • When launching attacks against Windows systems, this RAT remotely loads plugins dynamically. In the case of Linux systems, it compiles the plugin in the bot program.
  • To avoid directly connecting to the attackers’ infrastructure, the malware has a reverse P2P plug-in that acts as a C2 Connection Proxy and routes traffic between bots and the C2 server.

Researchers at Qihoo 360 Netlab, who spotted the malware, speculate that the Lazarus APT group is exploiting the CVE-2019-3396 vulnerability to inject the Dacls malware on unpatched Confluence servers.

What can users do?

Confluence users are recommended to patch their systems as soon as possible to avoid threats from the Dacls RAT.

Apart from this, users can check if they’ve been already infected by the malware. The IoCs provided by researchers can also be monitored and blocked as precautionary measures.