The Lazarus group is said to have relations with the North Korean government and has been linked to various global cyberattacks. Some of its most significant attacks are its spread WannaCry ransomware, the theft of $ 80m from the Bangladeshi bank and a new campaign attacking financial institutions around the world.
The Lazarus team has purchased many tools from other hackers in the past. However, it also creates her "weapons", like the new one Trojan Remote Access (RAT), found by Netlab 360 researchers.
The security company said the trojan, called Dacls, first appeared in May, and while it has been identified by more than 20 companies offering antivirus solutions, it is still considered "unknown".
Researchers analyzed a sample of malware and found it to be "fully functional RAT platform for platforms Windows and Linux", Probably related to this group.
A domain associated with malware, thevagabondsatchel.com, is a further indication of the Lazarus team's involvement, as the site was previously used by APT to store malware.
Researchers believe that CVE-2019-3396, a remote code error that affects the Atlassian Confluence server version 6.6.12 macro (and earlier), is used to infect systems and develop Dacls.
RAT, which varies depending on the target operating system, shares its command-and-control (C2) protocol. Dacls is one modular malicious software and uses it TLS and RC4 encryption when communicating with his C2 as well AES encryption for protection of configuration files.
When a vulnerable Linux system is detected, the malicious program runs in the background and checks for updates.
Trojan is capable of performing various functions such as stealing, deleting, executing files, scanning a directory, downloading other payloads, stopping processes, uploading data and other.
As we said above, the trojan spreads through a known vulnerability and a patch is already available, so IT administrators should update their Confluence setups to stay safe.