Lazarus Group使用Dacls RAT攻击Linux平台
2019-12-17 • Qihoo360 • Lazarus Group uses Dacls RAT to attack Linux platforms •
360 Netlab analyzed Dacls, a modular RAT family with both Linux and Windows variants that the researchers assessed as likely linked to Lazarus Group based on related samples, C2 references, and open-source attribution context. The investigation began with a suspicious Linux ELF sample and identified shared C2 protocol behavior across Win32.Dacls and Linux.Dacls, including TLS plus RC4-protected communications and AES-encrypted configuration data. Linux.Dacls includes plugins for command execution, file management, process management, network-access testing, C2 connection proxying, and network scanning. The report also found Dacls components hosted alongside a Confluence CVE-2019-3396 payload, leading the researchers to suspect exploitation of that vulnerability was used for distribution. Its reverse P2P proxy capability is especially significant because it can relay C2 traffic, reduce direct exposure of command infrastructure, and support deeper movement through compromised networks.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | bea49839390e4f1eb3cb38d0fcaf897e | 2019-12-17 | 2021-03-23 |
| HASH | 80c0efb9e129f7f9b05a783df6959812 | 2019-12-17 | 2021-03-23 |
| HASH | 8910bdaaa6d3d40e9f60523d3a34f914 | 2019-12-17 | 2021-03-23 |
| HASH | 6de65fc57a4428ad7e262e980a7f6cc7 | 2019-12-17 | 2021-03-23 |
| HASH | cef99063e85af8b065de0ffa9d26cb03 | 2019-12-17 | 2021-03-23 |
| IPv4 | 64.188.19.117 | 2019-12-17 | 2021-03-23 |
| IPv4 | 198.180.198.6 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.254.119.12 | 2019-12-17 | 2021-03-23 |
| IPv4 | 192.210.213.178 | 2019-12-17 | 2021-03-23 |
| IPv4 | 37.72.175.179 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.227.199.53 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.81.246.179 | 2019-12-17 | 2021-03-23 |
| IPv4 | 74.121.190.121 | 2019-12-17 | 2021-03-23 |
| IPv4 | 209.90.234.34 | 2019-12-17 | 2021-03-23 |
| IPv4 | 23.227.196.116 | 2019-12-17 | 2021-03-23 |
| HASH | e883bf5fd22eb6237eb84d80bbcf2ac9 | 2019-12-17 | 2020-07-22 |
| HASH | a99b7ef095f44cf35453465c64f0c70c | 2019-12-17 | 2020-07-22 |
| HASH | 982bf527b9fe16205fea606d1beed7fa | 2019-12-17 | 2020-07-22 |
| IPv4 | 107.172.197.175 | 2019-12-17 | 2020-07-22 |
| IPv4 | 172.93.201.219 | 2019-12-17 | 2020-07-22 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2020-07-06 |
| HASH | e14724498374cb9b80a77b7bfeb1d1b… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | https://thevagabondsatchel.com/… | 2019-12-17 | 2019-12-17 |
| URL | http://thevagabondsatchel.com/w… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| URL | http://www.areac-agr.com/cms/wp… | 2019-12-17 | 2019-12-17 |
| DOMAIN | wowrack.com | 2019-12-17 | 2019-12-17 |
| DOMAIN | thevagabondsatchel.com | 2019-12-17 | 2019-12-17 |
| HASH | b578ccf307d55d3267f98349e20ecff1 | 2019-11-12 | 2019-12-17 |