Lazarus (North Korea): A new Remote Access Trojan (RAT), dubbed Dacls was discovered by security researchers at Qihoo 360 and linked to North Korea’s Lazarus Group. Previous samples of malware from Lazarus which targeted Windows and Mac machines have been shared throughout the industry, however the Dacls RAT was found to be targeting Linux machines along with Windows. The samples analyzed by researchers share key characteristics with other malware that led them to the conclusion that it was North Korean-backed–primarily the download server, which the group had used in previous attack campaigns. Both Windows and Linux samples of Dacls have an exploit payload for Atlassian Confluence Server installations, which are vulnerable to attacks against the CVE-2019-3396 Remote Code Execution (RCE) bug.
Analyst Notes
It is recommended that anyone utilizing the Confluence Server should put the patch in place that stops CVE-2019-3396 from being exploitable. Using a defense-in-depth strategy should always be on the minds of any company, such as utilizing an Endpoint Detection and Response (EDR) system and monitoring by a Security Operations Center is a good way to find, stop, and mitigate these types of attacks before they spread across a network. More information from Bleeping Computer can be found here: https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-linux-windows-with-new-dacls-malware/. IOC’s can be found here directly from Qihoo 360: https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/
