The Lazarus hacking group is one of the most notorious APTs (Advanced Persistent Threat) worldwide. The group hails from North Korea, and it is likely that they are being sponsored by the North Korean government to carry out attacks that would further their interests globally. The Lazarus hacking group is back in the news with a new threat that targets Linux servers, in particular, Atlassian confluence servers. In order to do this, the threat takes advantage of the CVE-2019-3396 RCE exploit.
Table of Contents
The First Threat by the Lazarus Group that Targets Linux Systems
This new malware strain is called Dacls, and it is a Remote Access Trojan (RAT). What should be noted is that the Dacls RAT is the first threat developed by the Lazarus hacking group that targets Linux devices - prior to this threat, the APT had only targeted systems running Windows OS and OSX. However, the Dacls Trojan is also capable of going after not only Linux systems but Windows devices too. The Dacls RAT is designed to affect specific Atlassian confluence server versions - prior to variant 6.612, prior to variant 6.7.0 before 6.12.3, prior to variant 6.13.10 before 6.13.3, and prior to variant 6.14.0 before the 6.14.2 version.
The Dacls RAT Linux and Windows Versions Operate Differently
Upon studying the Dacls Trojan, malware researchers quickly figured out that this threat belongs to the Lazarus hacking group. This became evident because the Dacls RAT seems to be using the same download server as other threats that were designed by the Lazarus APT. The Dacls Trojan operates differently depending on whether it is targeting a Windows or a Linux system. The Linux version of the Dacls RAT has all the plug-ins built in the component, while the Windows variant of this Trojan downloads the plug-ins needed for the attack from a remote server. When the threat communicates with the attackers' C&C (Command & Control) server, it applies RC4 and TLC encryption. In order to encrypt its configuration files, the Dacls RAT would use the AES encryption algorithm.
The Dacls Trojan is capable of:
- Receiving C2 commands.
- Executing C2 commands.
- Testing the network's connectivity.
- Fetching data from the C&C server.
- Scanning network on port 8291.
The Lazarus hacking group is not an actor that can be dismissed or overlooked. They are capable of building very potent and highly weaponized threats that are able to cause great damage to their targets. It is interesting and worrying that the Lazarus group have decided to expand their reach and begin targeting Linux systems.