Recently researchers have discovered a new RAT(Remote Access Trojan) which was previously unknown called “Dacls” from the infamous hacking group ‘Lazarus APT hackers’ group and it was designed to target Windows and Linux users.
This group was also known as HIDDEN COBRA (by the United States Intelligence Community) and Zinc (by Microsoft) and is famous for hacking Sony Pictures at the end of November 2014 and behind the WannaCry ransomware.
Lazarus Malware Analysis
Although it was the first malware seen from Lazarus hacking group to attack Linux distro and there were only two antivirus engines that discovered the suspicious content of the ELF file sample. This trojan is capable of attacking both Linux and Windows users named Win32.Dacls and Linux.Dacls.
Researchers from NetLab360 observed a hard-coded string features c_2910.cls and k_3872.cls from the collected sample.
A sample of Lazarus malware win32.dalcs that is downloaded from https://thevagabondsatchel.com/wpcontent/uploads/2019/03/wm64.avi and has been marked by the virus total team as a sample associated with Lazarus Group.
This RAT also features a reverse P2P plug that act as a C2 Connection Proxy that routes traffic between bots and C2 server which is act as an indirect connection to the operator.
This is a commonly used technique by the Lazarus Group. With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden
Researchers
Researchers confirmed that Lazarus Group used the CVE-2019-3396 N-day vulnerability to spread the Dacls Bot program.
Netlabs360 has published a report related to Dalcs