Home Malware Programs Remote Administration Tools Dacls

Dacls

Posted: December 18, 2019

Dacls is a Remote Access Trojan that can execute commands from an attacker's server and control both programs' processes and files. Shared Web elements imply that it's a tool of Lazarus Group, a North Korea-backed threat actor. Windows and Linux users should maintain proper security practices, such as updating software for blocking attacks, as well as use anti-malware solutions for removing Dacls.

A Little Domain Reveals a Lot about a New RAT

A previously-unexamined Remote Access Trojan is getting its day in the sun, despite including quite a few features for avoiding detection by interested cyber-security researchers. The threat, Dacls, shares storage with a known C&C server for the NukeSped RAT – a specialized utility of Lazarus Group. And, just like the NukeSped RAT, the exposed Dacls offers deep and invasive capabilities for controlling systems but does so more broadly than ever before.

Unlike all other known threats from the North Korean hackers' organization, Dacls is portable to Linux systems, in addition to the usual Windows build. In both cases, the Remote Access Trojan segments its features into multiple, smaller modules. Its modular expandability is non-negligible and may include more than the below, but malware experts can confirm the current modules as being in use:

  • One module manages network-related features, including scanning for vulnerable 8291 ports – possibly, for exploiting MikroTik routers. It also can execute some system commands with long durations.
  • A second, networking module conducts proxy functions that conceal the attacker's domain infrastructure and may direct other Dacls 'bots' in network-traversing actions.
  • As usual, Dacls accepts and executes commands from its Command & Control servers. The module responsible for this also obfuscates the activity through a temporary domain.
  • The 'test' module is the most specialized of Dacls's components and only tests network connectivity with configurable ports and addresses.
  • One module handles changes to files on infected systems, such as editing, deleting or uploading them.
  • Through a sixth module, Dacls can exercise control over programs' memory processes, including termination and monitoring duties.

Besides its unheard of (for this threat actor) Linux compatibility, Dacls is an orthodox example of a network espionage-focused RAT.

Server-Side Vulnerabilities Serving Up Trojans

Samples of Dacls suggest that the Trojan's Linux version, at least, is getting its distribution with the aid of software vulnerabilities. The abuse of CVE-2019-3396 in Confluence server software is an angle of attack that malware experts also witness in unrelated threats, such as the crypto-mining worm, Golang, the AESDDoS Botnet, and some versions of the GandCrab Ransomware. Upgrading to the latest version of Confluence will resolve this vulnerability loophole.

Lazarus Group also is, like most state-based threat actors, familiar with deploying multiple Black Hat software onto compromised networks. Besides Dacls and the NukeSped RAT, AppleJeus, the Jaku Botnet, the HOPLIGHT Trojan, and FASTCash show off the diverse aims and programming talents of this group. Lazarus Group also operates globally, although many of its targets are entities of interest to North Korea's government, such as companies and governments nearby in Asia.

Network administrators should continue abiding by practices for limiting their network's exposure to attackers and can consider more proactive measures, like blocking domains specific to Lazarus Group's operations. Most updated anti-malware products should be capable of deleting Dacls when appropriate. Dacls is a 'first' for Lazarus Group but not for other hacking organizations. Linux isn't much of a firewall for one's security, even though it has fewer Trojans targeting it – for the moment.

Loading...