Movatterモバイル変換

Dacls

Dacls is a multi-platform remote access tool used byLazarus Group since at least December 2019.^[1]^[2]

ID: S0497

ⓘ

Type: MALWARE

ⓘ

Platforms: macOS, Linux, Windows

Version: 1.1

Created: 07 August 2020

Last Modified: 11 April 2024

Version Permalink

Enterprise Layer

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol:Web Protocols	Dacls can use HTTPS in C2 communications.^[2]^[1]
Enterprise	T1543	.001	Create or Modify System Process:Launch Agent	Dacls can establish persistence via a LaunchAgent.^[2]^[1]
		.004	Create or Modify System Process:Launch Daemon	Dacls can establish persistence via a Launch Daemon.^[2]^[1]
Enterprise	T1083		File and Directory Discovery	Dacls can scan directories on a compromised host.^[1]
Enterprise	T1564	.001	Hide Artifacts:Hidden Files and Directories	Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.^[2]^[1]
Enterprise	T1105		Ingress Tool Transfer	Dacls can download its payload from a C2 server.^[2]^[1]
Enterprise	T1036		Masquerading	TheDacls Mach-O binary has been disguised as a .nib file.^[2]
Enterprise	T1027	.013	Obfuscated Files or Information:Encrypted/Encoded File	Dacls can encrypt its configuration file with AES CBC.^[1]
Enterprise	T1057		Process Discovery	Dacls can collect data on running and parent processes.^[1]

Groups That Use This Software

ID	Name	References
G0032	Lazarus Group	^[2]^[1]

References

Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.

Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.

×

[8]ページ先頭

©2009-2026 Movatter.jp