Therefore, we speculate that the attacker behind Dacls RAT is Lazarus Group.Ĭurrently this sample is shown on VirusTotal with 26 pretty generic malware tag from by 26 antivirus vendors with no relevant analysis report. And that sample file b578ccf307d55d3267f98349e20ecff1 has the download url as Ī quick google returns many Lazarus Group analysis reports and some open source threat intelligence data, many pointing out that was used by Lazarus Group to store samples. In October 2019, a sample named NukeSped was tagged by Twitter user as Lazarus Group. This sample also has download address of. One of the 5 samples 6de65fc57a4428ad7e262e980a7f6cc7 was pointed to as Lazarus Group by the user Raeezabdulla of the VirusTotal community, and cited a report "CES Themed Targeting from Lazarus". We can confirm from their sample and C2 instruction codes that they are the same RAT family, and is suitable for Windows and Linux platforms, respectively. The links between Lazarus Group and Dacls RATįirst, we searched VT for the hardcoded string c_2910.cls and k_3872.cls in the sample and found 5 more samples. And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group. At first glance, it seems to be just another one of the regular botnets, but we soon realized this is something with potential link to the Lazarus Group.Īt present, the industry has never disclosed the Lazarus Group's attack samples and cases against the Linux platform. ![]() On October 25, 2019, a suspicious ELF file (80c0efb9e129f7f9b05a783df6959812) was flagged by our new threat monitoring system.
0 Comments
Leave a Reply. |