The Dacls remote access trojan that is capable of attacking Windows, Linux and macOS environments has been used to distribute VHD ransomware and to target customer databases for attempted exfiltration, according to researchers.
Kaspersky on Wednesday revealed this latest intel on Dacls in a company blog post and corresponding press release that also detailed an array of plug-ins used by the malware framework, which has been linked to North Korean state-sponsored hackers.
Victims of Dacls, which Kaspersky refers to as MATA, have included a software development company, an e-commerce company and an internet service provider, the blog post states. Kaspersky has identified victims in Poland, Germany, Turkey, Korea, Japan and India.
Kaspersky has further corroborated the greater research community’s assertion that Dacls is the work of reputed North Korean APT actor Lazarus Group, aka Hidden Cobra, based on the presence of two filenames and a configuration structure that were previously associated with another Lazarus malware called Manuscrypt.
Lazarus has earned a widespread reputation for conducting cyber espionage and financially motivated attacks. In the case of Dacls, Kaspersky identified customer database exfiltration as a key attacker objective via analysis of one of the identified victims.
“After deploying MATA malware and its plugins, the actor attempted to find the victim’s databases and execute several database queries to acquire customer lists. We’re not sure if they completed the exfiltration of the customer database, but it’s certain that customer databases from victims are one of their interests,” the blog post states.
Kaspersky reports that during its research it found a "package containing different MATA files together with a set of hacking tools" on a "legitimate distribution site, which might indicate that this is the way the malware was distributed."
According to Kaspersky, the framework is made up of a loader, various plugins and an orchestrator designed to load the plugins and execute them in memory. Each plugin introduces its own unique capabilities, which include process manipulation (e.g. listing, killing and creating them), C2 communication, creating of an HTTP proxy server, manipulating files (e.g. writing to them, searching them, sending them, compressing them and wiping them), and injecting DLL files.
"This series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach of organizations targeted – particularly in hunting for both money and data,” said Seongsu Park, senior security researcher at Kaspersky. “Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on."
"This approach is typically found among mature APT groups. We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected," Park continued.
To combat the threat, Kaspersky recommends companies install an endpoint security solution or other dedicated cybersecurity product, keep one's SOC team up to date with the latest threat intelligence, and maintain fresh back-up copies of business data.
Both Netlab and Malwarebytes are among the cybersecurity firms that have previously published research on this malware. In May, Malwarebytes reported the discovery of a trojanized two-factor authentication application targeting Macs with Dacls.
