Lazarus pivots to Linux attacks through Dacls Trojan

The Trojan is able to infect both Windows and Linux machines.
Written by Charlie Osborne, Contributing Writer

Lazarus, an advanced persistent threat (APT) group, has expanded its reach with the development and use of a Trojan designed to attack Linux systems. 

The APT, suspected to hail from North Korea, has previously been connected to global cyberattacks and malware outbreaks including the infamous WannaCry rampage, the $80 million Bangladeshi bank heist, and a new campaign impacting financial institutions worldwide. 

Recent reports suggest that Lazarus has become a customer of Trickbot, a criminal enterprise that is offering the state-sponsored threat actors access to infected systems alongside a collection of hacking tools. 

Lazarus may be willing to purchase tools from others but may also be capable of creating its own, such as in the case of a new Remote Access Trojan (RAT) spotted by researchers from Netlab 360. 

On Tuesday, the cybersecurity firm said the Trojan, called Dacls, may have appeared on the scene as early as in May this year, and while identified by over 20 antivirus vendors -- according to VirusTotal -- is still considered "unknown."

See also: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army

After investigating a malware sample uploaded to the website, the team determined it was a "fully functional, covert and RAT program for Windows and Linux platforms" likely connected to Lazarus. 

In total, five samples were obtained by the researchers. One of the Windows samples was cited in a report, CES Themed Targeting from Lazarus, whilst another sample was tagged as the work of Lazarus by CyberWar. A domain linked to the malware, thevagabondsatchel.com, is a further indication of Lazarus involvement as the website has previously been used by the APT to store malware. 

While the Windows module is dynamically loaded through a remote URL, the Linux variety is directly compiled and includes six overall modules for command execution, file and process management, network access tests, network scanning, and C2 connections. 

The researchers believe that CVE-2019-3396, a remote code execution flaw impacting the Widget Connector macro in Atlassian Confluence server version 6.6.12 and below, is used to infect systems and deploy Dacls.

TechRepublic: Report: Financial firms still losing customer data to malware and hackers

The RAT, which comes in different flavors depending on which operating system is being targeted, shares its command-and-control (C2) protocol. Dacls is modular malware and uses TLS and RC4 encryption when communicating with its C2, as well as AES encryption to protect configuration files. 

Once the Linux version lands on a vulnerable machine, the malware will run in the background and check for updates. Dacls will then unpack and decrypt its configuration file and connect to its C2. 

The Trojan is able to perform functions including stealing, deleting, and executing files; scanning directory structures, downloading additional payloads, killing processes, creating daemon process, and uploading data including scan results and command execution output. 

As the malware is spread through a known vulnerability with a patch readily available, it is recommended that IT admins make sure their Confluence setups are kept up-to-date. 

CNET: New Orleans city computers offline after cyberattack

Another interesting form of Linux malware, dubbed Skidmap, was spotted by Trend Micro in September. The malicious code uses rootkits in an attempt to bury itself in the kernel and stay unobtrusive while deploying illicit cryptocurrency miners. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards