Dacls, the Dual platform RAT
Contents
Dacls, the Dual platform RAT
Background
On October 25, 2019, a suspicious ELF file (80c0efb9e129f7f9b05a783df6959812) was flagged by our new threat monitoring system. At first glance, it seems to be just another one of the regular botnets, but we soon realized this is something with potential link to the Lazarus Group.
At present, the industry has never disclosed the Lazarus Group's attack samples and cases against the Linux platform. And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group.
The links between Lazarus Group and Dacls RAT
First, we searched VT for the hardcoded string
c_2910.cls and
k_3872.cls in the sample and found 5 more samples. We can confirm from their sample and C2 instruction codes that they are the same RAT family, and is suitable for Windows and Linux platforms, respectively.
One of the 5 …
Background
On October 25, 2019, a suspicious ELF file (80c0efb9e129f7f9b05a783df6959812) was flagged by our new threat monitoring system. At first glance, it seems to be just another one of the regular botnets, but we soon realized this is something with potential link to the Lazarus Group.
At present, the industry has never disclosed the Lazarus Group's attack samples and cases against the Linux platform. And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group.
The links between Lazarus Group and Dacls RAT
First, we searched VT for the hardcoded string
c_2910.cls and
k_3872.cls in the sample and found 5 more samples. We can confirm from their sample and C2 instruction codes that they are the same RAT family, and is suitable for Windows and Linux platforms, respectively.
One of the 5 …
IoC
107.172.197.175
172.93.201.219
192.210.213.178
198.180.198.6
209.90.234.34
23.227.196.116
23.227.199.53
23.254.119.12
23.81.246.179
37.72.175.179
64.188.19.117
6de65fc57a4428ad7e262e980a7f6cc7
74.121.190.121
80c0efb9e129f7f9b05a783df6959812
8910bdaaa6d3d40e9f60523d3a34f914
982bf527b9fe16205fea606d1beed7fa
a99b7ef095f44cf35453465c64f0c70c
b578ccf307d55d3267f98349e20ecff1
bea49839390e4f1eb3cb38d0fcaf897e
cef99063e85af8b065de0ffa9d26cb03
e14724498374cb9b80a77b7bfeb1d1bd342ee139
e883bf5fd22eb6237eb84d80bbcf2ac9
http://thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/check.vm
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/hdata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/ldata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/mdata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/r.vm
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/rdata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/sdata.dat
https://thevagabondsatchel.com/wp-content/uploads/2019/03/wm64.avi
172.93.201.219
192.210.213.178
198.180.198.6
209.90.234.34
23.227.196.116
23.227.199.53
23.254.119.12
23.81.246.179
37.72.175.179
64.188.19.117
6de65fc57a4428ad7e262e980a7f6cc7
74.121.190.121
80c0efb9e129f7f9b05a783df6959812
8910bdaaa6d3d40e9f60523d3a34f914
982bf527b9fe16205fea606d1beed7fa
a99b7ef095f44cf35453465c64f0c70c
b578ccf307d55d3267f98349e20ecff1
bea49839390e4f1eb3cb38d0fcaf897e
cef99063e85af8b065de0ffa9d26cb03
e14724498374cb9b80a77b7bfeb1d1bd342ee139
e883bf5fd22eb6237eb84d80bbcf2ac9
http://thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/check.vm
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/hdata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/ldata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/mdata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/r.vm
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/rdata.dat
http://www.areac-agr.com/cms/wp-content/uploads/2015/12/sdata.dat
https://thevagabondsatchel.com/wp-content/uploads/2019/03/wm64.avi