By Brandon Adcock, Avertium CyberOps Analyst
A new RAT malware dubbed Dacls has been identified by security researchers. Connected to the Lazarus Group, an entity known for hacking Sony Films in late 2014 and for the global WannaCry outbreak in 2017, the Dacls Remote Access Trojan (RAT) infects devices running Windows OS, MAC OS, and those running on Linux. The Dacls RAT has a build for the first two operating systems and a different build for Linux. It is highly modular with different ways of deploying those modules based on the infected host’s environment.
The Dacls malware is built to either come precompiled with all the modules required when infecting Linux hosts or by downloading the modules as needed during the early infection stages when infecting Windows hosts. The modules are downloaded over TLS (port 443) with two layers of RC4 encryption. The configuration file is downloaded first with file encryption performed via AES encryption. The Dacls RAT has plug-and-play modules allowing for major feature changes to occur dynamically to adapt to evolving scenarios.
Process Handling – Kill, start, or inject into processes
IP Test – Test whether a specified IP address can be reached
Command Execution – Executes a command sent by the Command & Control servers
File Handling – Delete, create, or modify files on the system
C2 Download – Downloads files on new instructions from the Command & Control servers
Port Scan – Scans for hosts on the network with open TCP 8291 ports (likely targeting MikroTik routers).
Dacls RAT beacons out and identifies the infected machine based on the host information collected (IP address, Computer/System name, etc.).
The current builds of Dacls use the vulnerability exploitation module to target systems vulnerable to CVE-2019-3396, a bug affecting devices running the Confluence software. This vulnerability allows bad actors to exploit the widget connector to achieve a state of path traversal or remote code execution. The bad actors have created a module with working code to exploit this vulnerability and have hosted it on one of their C2 servers.
Dacls infects Linux systems in a different way. It has separate configuration files for each of the modules which are stored in the user’s home directory (/home/(user)/.memcache). The malware initially is installed in the /tmp directory and starts running from there before gaining persistence in other core system directories. The file module has an additional function beyond file management with the ability to use the find command. Most of the processes created/handled by the malware are daemon processes. There’s a reverse P2P plugin (exclusive to the Linux version) that allows for proxied connections between the infected host and malicious infrastructure.
The RC4 implementation is based on a key generated by the malware using randomized key lengths between zero and 50. The tables created in the code are largely dependent on the key values specified when the symmetric key pair is generated.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.