North Korea’s state-backed hacker group Lazarus Group, the authors
of 2017’s WannaCry ransomware attack, has launched a new Remote Access Trojan (RAT) malware called Dacls affecting both Windows and Linux devices.

Spotted by researchers at Qihoo 360 Netlab, Dacls is the first Linux malware by Lazarus group as the group has previously targeted only Windows and macOS devices.

At first glance, Dacls seemed to be just another one of the regular botnets, but we soon the security researchers realized that it was something with potential link to the Lazarus Group.

At present, the industry has never disclosed the Lazarus Group's attack samples and cases against the Linux platform. The researchers found that the botnet was a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group.

Therefore, they speculate that the attacker behind Dacls RAT is Lazarus Group.

Currently the botnet is shown on VirusTotal with 26 pretty generic malware tag from by 26 antivirus vendors with no relevant analysis report.

Dacls, named after its file name and hard-coded strings (Win32.Dacls and Linux.Dacls,) is a new type of remote-control software.

The malware secures its command and control communication channels using TLS and RC4 double-layer encryption. It deploys the AES encryption technique to encrypt its configuration files.

Its functions are modular, the C2 protocol uses TLS and RC4 double-layer encryption, the configuration file uses AES encryption and supports C2 instruction dynamic update. The Win32.Dacls plug-in module is dynamically loaded through a remote URL, and the Linux version of the plug-in is compiled directly in the Bot program.

The researchers found a series of samples on a suspected download server http://www.areac-agr.com/cms/wp-content/uploads/2015/12/, including Win32.Dacls, Linux.Dacls, the open source program Socat, and working payload for Confluence CVE-2019-3396.

The function of the sample the researchers found is simple. It collects the target host information by specifying the parameters of the log collecting process. It avoids scanning some specified root and secondary directories, and write the retrieved file path to /tmp/hdv.log.

When all the work is done, it executes the system tar command to compress the log file tar -cvzf /tmp/hdv.rm /tmp/hdv.log and upload it to the specified log collecting interface.

The main functions of Linux.Dacls Bot include: command execution, file management, process management, test network access, C2 connection agent, network scanning module.