SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.dacls (Back to overview)

Dacls

Actor(s): Lazarus Group

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

References
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-03SYGNIAAmitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman, Boaz Wasserman
@online{shushan:20210303:lazarus:60339a7, author = {Amitai Ben Shushan and Noam Lifshitz and Amnon Kushnir and Martin Korman and Boaz Wasserman}, title = {{Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware}}, date = {2021-03-03}, organization = {SYGNIA}, url = {https://www.sygnia.co/mata-framework}, language = {English}, urldate = {2021-03-04} } Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower
2021-01-01Objective-SeePatrick Wardle
@online{wardle:20210101:mac:a6f5a3b, author = {Patrick Wardle}, title = {{The Mac Malware of 2020 - a comprehensive analysis of the year's new malware}}, date = {2021-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x5F.html}, language = {English}, urldate = {2021-01-11} } The Mac Malware of 2020 - a comprehensive analysis of the year's new malware
AppleJeus Dacls EvilQuest FinFisher WatchCat XCSSET
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-28Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Félix Aime
@online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } Lazarus on the hunt for big game
Dacls Dacls Dacls VHD Ransomware
2020-07-27SentinelOnePhil Stokes
@online{stokes:20200727:four:9d80c60, author = {Phil Stokes}, title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}}, date = {2020-07-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/}, language = {English}, urldate = {2020-07-30} } Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat
2020-07-22Kaspersky LabsGReAT
@online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } MATA: Multi-platform targeted malware framework
Dacls Dacls Dacls
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:e25ce4e, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/}, language = {English}, urldate = {2020-05-11} } New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:aa2bbd7, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability}, language = {English}, urldate = {2020-06-03} } New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-06MalwarebytesHossein Jazi, Thomas Reed, Jérôme Segura
@online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
Dacls
2020-05-05Objective-SeePatrick Wardle
@online{wardle:20200505:dacls:b9f2391, author = {Patrick Wardle}, title = {{The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant}}, date = {2020-05-05}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x57.html}, language = {English}, urldate = {2020-05-07} } The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant
Dacls
Yara Rules
[TLP:WHITE] osx_dacls_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule osx_dacls_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b8fdffffff 40 80ff80 75d2 48 83e31f 48 }
            // n = 7, score = 100
            //   b8fdffffff           | mov                 eax, 0xfffffffd
            //   40                   | inc                 eax
            //   80ff80               | cmp                 bh, 0x80
            //   75d2                 | jne                 0xffffffd4
            //   48                   | dec                 eax
            //   83e31f               | and                 ebx, 0x1f
            //   48                   | dec                 eax

        $sequence_1 = { 09ca 81e2???????? 0fb6b3ac020000 89f1 83e10f c1e108 01d1 }
            // n = 7, score = 100
            //   09ca                 | or                  edx, ecx
            //   81e2????????         |                     
            //   0fb6b3ac020000       | movzx               esi, byte ptr [ebx + 0x2ac]
            //   89f1                 | mov                 ecx, esi
            //   83e10f               | and                 ecx, 0xf
            //   c1e108               | shl                 ecx, 8
            //   01d1                 | add                 ecx, edx

        $sequence_2 = { 48 8b5150 48 8b7158 48 89b380010000 48 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8b5150               | mov                 edx, dword ptr [ecx + 0x50]
            //   48                   | dec                 eax
            //   8b7158               | mov                 esi, dword ptr [ecx + 0x58]
            //   48                   | dec                 eax
            //   89b380010000         | mov                 dword ptr [ebx + 0x180], esi
            //   48                   | dec                 eax

        $sequence_3 = { eb1c 48 8bbc2490000000 e8???????? 48 8b7c2458 e8???????? }
            // n = 7, score = 100
            //   eb1c                 | jmp                 0x1e
            //   48                   | dec                 eax
            //   8bbc2490000000       | mov                 edi, dword ptr [esp + 0x90]
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b7c2458             | mov                 edi, dword ptr [esp + 0x58]
            //   e8????????           |                     

        $sequence_4 = { c744247800000000 48 c784248000000000000000 48 c784248800000000000000 c684249000000000 c684249100000000 }
            // n = 7, score = 100
            //   c744247800000000     | mov                 dword ptr [esp + 0x78], 0
            //   48                   | dec                 eax
            //   c784248000000000000000     | mov    dword ptr [esp + 0x80], 0
            //   48                   | dec                 eax
            //   c784248800000000000000     | mov    dword ptr [esp + 0x88], 0
            //   c684249000000000     | mov                 byte ptr [esp + 0x90], 0
            //   c684249100000000     | mov                 byte ptr [esp + 0x91], 0

        $sequence_5 = { e8???????? 48 89d9 4d 8bb548010000 41 8b9d50010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   89d9                 | mov                 ecx, ebx
            //   4d                   | dec                 ebp
            //   8bb548010000         | mov                 esi, dword ptr [ebp + 0x148]
            //   41                   | inc                 ecx
            //   8b9d50010000         | mov                 ebx, dword ptr [ebp + 0x150]

        $sequence_6 = { 4c 89ff 48 89c6 48 89d9 e8???????? }
            // n = 7, score = 100
            //   4c                   | dec                 esp
            //   89ff                 | mov                 edi, edi
            //   48                   | dec                 eax
            //   89c6                 | mov                 esi, eax
            //   48                   | dec                 eax
            //   89d9                 | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_7 = { eb2d 48 8b7c2410 8b4c241c 48 8d742428 48 }
            // n = 7, score = 100
            //   eb2d                 | jmp                 0x2f
            //   48                   | dec                 eax
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   48                   | dec                 eax
            //   8d742428             | lea                 esi, [esp + 0x28]
            //   48                   | dec                 eax

        $sequence_8 = { e8???????? 49 89c4 48 89442408 48 8d542410 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   89c4                 | mov                 esp, eax
            //   48                   | dec                 eax
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   48                   | dec                 eax
            //   8d542410             | lea                 edx, [esp + 0x10]

        $sequence_9 = { 0f88dc000000 48 63ee 31f6 662e0f1f840000000000 0f1f4000 49 }
            // n = 7, score = 100
            //   0f88dc000000         | js                  0xe2
            //   48                   | dec                 eax
            //   63ee                 | arpl                si, bp
            //   31f6                 | xor                 esi, esi
            //   662e0f1f840000000000     | nop    word ptr cs:[eax + eax]
            //   0f1f4000             | nop                 dword ptr [eax]
            //   49                   | dec                 ecx

    condition:
        7 of them and filesize < 1346184
}
Download all Yara Rules