Dacls

Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.^[1]^[2]

ID: S0497

ⓘ

Type: MALWARE

ⓘ

Platforms: macOS, Linux, Windows

Version: 1.1

Created: 07 August 2020

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1036		伪装	The Dacls Mach-O binary has been disguised as a .nib file.^[2]
Enterprise	T1543	.001	创建或修改系统进程: Launch Agent	Dacls can establish persistence via a LaunchAgent.^[2]^[1]
		.004	创建或修改系统进程: Launch Daemon	Dacls can establish persistence via a Launch Daemon.^[2]^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	Dacls can use HTTPS in C2 communications.^[2]^[1]
Enterprise	T1083		文件和目录发现	Dacls can scan directories on a compromised host.^[1]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	Dacls can encrypt its configuration file with AES CBC.^[1]
Enterprise	T1105		输入工具传输	Dacls can download its payload from a C2 server.^[2]^[1]
Enterprise	T1057		进程发现	Dacls can collect data on running and parent processes.^[1]
Enterprise	T1564	.001	隐藏伪装: Hidden Files and Directories	Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.^[2]^[1]

Groups That Use This Software

ID	Name	References
G0032	Lazarus Group	^[2]^[1]

References

Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.

Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.