Netlab 360: North Korea’s Lazarus attacks Linux & Windows Platform via Dacls RAT. It’s the firs time Pyongyang hackers target Linux. Their malware has 6 plug-in modules
North Korea’s Lazarus attacks Linux & Windows Platform via Dacls RAT. It has been discovered by Netlab360 cyber security experts. It’s the first time security that Pyongyang’s hackers target Linux platform. Researchers found a suspicious ELF file and decided to analyze it. The sample confirmed links between the malware and the group. It is a new type of remote control software, including Windows and Linux versions and sharing the C2 protocol. Its functions are modular, the C2 protocol uses TLS and RC4 double-layer encryption, the configuration file uses AES encryption and supports C2 instruction dynamic update. The Win32.Dacls plug-in module is dynamically loaded through a remote URL, and the Linux version of the plug-in is compiled directly in the Bot program. Experts confirmed that there are 6 plug-in modules in Linux.Dacls: execute commands, file management, process management, test network access, C2 connection agent, network scan.
The cyber security experts: Pyongyang’s state sponsored hackers used the CVE-2019-3396 N-day vulnerability to spread the Dacls Bot
According the cyber security researchers, Lazarus drop the series of samples from the C2 server and the they includes Win32.Dacls and Linux.Dacls, the open source program Socat, and Confluence CVE-2019-3396 Payload. Experts also confirmed that the North Korea’s state sponsored hackers used the CVE-2019-3396 N-day vulnerability to spread the Dacls Bot program. After Linux.Dacls is started, it runs in the daemon mode in the background and startup parameters / pro, the PID file /var/run/init.pid, and process name / proc / <pid> / cmdline to distinguish different operating environments. Netlab 360 guess it might be used for Bot program upgrade. If the malware cannot find the configuration file after startup, it will use AES encryption to generate the default configuration file based on the hard-coded information in the sample. After Bot communicates with C2, it will continue to update the configuration file.