Shares tag: Dacls • Shares 34 IOCs • Same author: Qihoo360 • Published within a week
Dacls, the Dual platform RAT
2019-12-17 • Qihoo360 •
360 Netlab analyzed Dacls, a dual-platform RAT family for Linux and Windows that it assessed as potentially linked to Lazarus Group based on related samples, shared C2 instruction codes, VirusTotal/community references, and infrastructure associated with prior Lazarus reporting. Linux.Dacls runs as a daemon, stores AES-encrypted configuration, and communicates with C2 through TLS plus RC4-protected traffic. The Linux build includes modules for command execution, file and process management, network-access testing, C2 connection proxying, and network scanning, while Windows plugins are loaded from remote URLs. The researchers also found Dacls components alongside Socat and a Confluence CVE-2019-3396 payload, suggesting that exploitation of that vulnerability may have been used to distribute the bot.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | bea49839390e4f1eb3cb38d0fcaf897e | 2019-12-17 | 2021-03-23 |
| HASH | 80c0efb9e129f7f9b05a783df6959812 | 2019-12-17 | 2021-03-23 |
| HASH | 8910bdaaa6d3d40e9f60523d3a34f914 | 2019-12-17 | 2021-03-23 |
| HASH | 6de65fc57a4428ad7e262e980a7f6cc7 | 2019-12-17 | 2021-03-23 |
| HASH | cef99063e85af8b065de0ffa9d26cb03 | 2019-12-17 | 2021-03-23 |
| IPv4 | 64.188.19.117 | 2019-12-17 | 2021-03-23 |
| IPv4 | 198.180.198.6 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.254.119.12 | 2019-12-17 | 2021-03-23 |
| IPv4 | 192.210.213.178 | 2019-12-17 | 2021-03-23 |
| IPv4 | 37.72.175.179 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.227.199.53 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.81.246.179 | 2019-12-17 | 2021-03-23 |
| IPv4 | 74.121.190.121 | 2019-12-17 | 2021-03-23 |
| IPv4 | 209.90.234.34 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.227.196.116 | 2019-12-17 | 2021-03-23 |
| HASH | e883bf5fd22eb6237eb84d80bbcf2ac9 | 2019-12-17 | 2020-07-22 |
| HASH | a99b7ef095f44cf35453465c64f0c70c | 2019-12-17 | 2020-07-22 |
| HASH | 982bf527b9fe16205fea606d1beed7fa | 2019-12-17 | 2020-07-22 |
| IPv4 | 107.172.197.175 | 2019-12-17 | 2020-07-22 |
| IPv4 | 172.93.201.219 | 2019-12-17 | 2020-07-22 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2020-07-06 |
| HASH | e14724498374cb9b80a77b7bfeb1d1b… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | https://thevagabondsatchel.com/… | 2019-12-17 | 2019-12-17 |
| URL | http://thevagabondsatchel.com/w… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| DOMAIN | wowrack.com | 2019-12-17 | 2019-12-17 |
| DOMAIN | thevagabondsatchel.com | 2019-12-17 | 2019-12-17 |
| HASH | b578ccf307d55d3267f98349e20ecff1 | 2019-11-12 | 2019-12-17 |
Related Reports
Shares tag: Dacls
Shares tag: Dacls
Shares tag: Dacls
Shares tag: Dacls
2021-03-23 •
17% Match
#MATA
#TFlower
#Lazarus
#T1070.004
#T1113
#T1112
#T1053.005
#T1036.005
#T1552.001
#T1486
#T1008
#T1573.001
#T1021.001
#T1562
#T1055.001
#T1021.002
#T1070.003
#T1021.004
#T1547.005
#T1572
#T1070.001
Shares 15 IOCs