Hidden Cobra, also known as Lazarus Group, is a North Korea-linked cyber-espionage group that's notorious for WannaCry ransomware, which had the ability to spread automatically across large networks by exploiting a known bug in Microsoft’s Windows operating system.
The group had until now, specialized in malware targeted at Windows and macOS systems, now a new Remote Access Trojan (RAT) dubbed Dacls has been traced to the hacker group that affects both Windows and Linux systems. According to researchers at Qihoo 360, Dacls was traced to the Lazarus group as thevagabondsatchel.com download server was used by the group in several past attacks by the APT (Advanced Persistent Threat) group.
Dacls is rather fascinating because it is the first Linux malware by the hacker group, as no security researcher has ever disclosed any cyberattack cases on the Linux system carried out by the Lazarus Group.
The new Linux malware contains all the plug-ins needed to carry out the attack within the bot component, whereas for Windows system it load the plug-ins remotely on the affected Windows system, while securing its command and control communication channels with TLS and RC4 double-layer encryption.
Dacls also deploys the AES encryption technique to encrypt configuration files, and using the plug-ins, Dacls is capable of receiving and executing C2 commands, even downloading additional data from the C2 server; it can perform network connectivity test, scanning of networks on 8291 port, among others.
The malware was named Dacls based on its hard-coded strings and file name (Win32.Dacls and Linux.Dacls), with the open source program Socat, and working payload for Confluence CVE-2019-3396, which is speculated that the Lazarus Group used the CVE-2019-3396 N-day vulnerability to spread the Dacls Bot program.
After Linux.Dacls Bot is activated, it runs the daemon mode in the system background; while using the startup parameters /pro, the Bot PID file, /var/run/init.pid and the process name /proc/
And the major functions of the Linux.Dacls Bot include: file management, command execution, process management, C2 connection agent, test network access, and network scanning module.
It is recommended that users should patch their system in timely manner and also check if they've been infected based on the Win32.Dacls and Linux.Dacls details used by the Dacls RAT.