SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.dacls (Back to overview)

Dacls

Actor(s): Lazarus Group


There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-28Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Félix Aime
@online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } Lazarus on the hunt for big game
Dacls Dacls Dacls VHD Ransomware
2020-07-27SentinelOnePhil Stokes
@online{stokes:20200727:four:9d80c60, author = {Phil Stokes}, title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}}, date = {2020-07-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/}, language = {English}, urldate = {2020-07-30} } Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat
2020-07-22Kaspersky LabsGReAT
@online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } MATA: Multi-platform targeted malware framework
Dacls Dacls Dacls
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:aa2bbd7, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability}, language = {English}, urldate = {2020-06-03} } New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:e25ce4e, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/}, language = {English}, urldate = {2020-05-11} } New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-06MalwarebytesHossein Jazi, Thomas Reed, Jérôme Segura
@online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
Dacls
2020-05-05Objective-SeePatrick Wardle
@online{wardle:20200505:dacls:b9f2391, author = {Patrick Wardle}, title = {{The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant}}, date = {2020-05-05}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x57.html}, language = {English}, urldate = {2020-05-07} } The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant
Dacls
Yara Rules
[TLP:WHITE] osx_dacls_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule osx_dacls_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b05???????? 48 8b00 48 89842400160000 44 8b3e }
            // n = 7, score = 100
            //   8b05????????         |                     
            //   48                   | dec                 eax
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   48                   | dec                 eax
            //   89842400160000       | mov                 dword ptr [esp + 0x1600], eax
            //   44                   | inc                 esp
            //   8b3e                 | mov                 edi, dword ptr [esi]

        $sequence_1 = { e8???????? 85c0 750b 48 8b6d00 48 85ed }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   48                   | dec                 eax
            //   8b6d00               | mov                 ebp, dword ptr [ebp]
            //   48                   | dec                 eax
            //   85ed                 | test                ebp, ebp

        $sequence_2 = { e8???????? 85c0 0f85b1000000 48 8b5310 48 8b7a08 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f85b1000000         | jne                 0xb7
            //   48                   | dec                 eax
            //   8b5310               | mov                 edx, dword ptr [ebx + 0x10]
            //   48                   | dec                 eax
            //   8b7a08               | mov                 edi, dword ptr [edx + 8]

        $sequence_3 = { 89cf 48 894c2430 49 bc00000000 0000 00e1 }
            // n = 7, score = 100
            //   89cf                 | mov                 edi, ecx
            //   48                   | dec                 eax
            //   894c2430             | mov                 dword ptr [esp + 0x30], ecx
            //   49                   | dec                 ecx
            //   bc00000000           | mov                 esp, 0
            //   0000                 | add                 byte ptr [eax], al
            //   00e1                 | add                 cl, ah

        $sequence_4 = { c7042400000000 48 89c6 b902000000 41 b801000000 e8???????? }
            // n = 7, score = 100
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   48                   | dec                 eax
            //   89c6                 | mov                 esi, eax
            //   b902000000           | mov                 ecx, 2
            //   41                   | inc                 ecx
            //   b801000000           | mov                 eax, 1
            //   e8????????           |                     

        $sequence_5 = { e8???????? 85c0 752a 48 89e7 4c 89e6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   752a                 | jne                 0x2c
            //   48                   | dec                 eax
            //   89e7                 | mov                 edi, esp
            //   4c                   | dec                 esp
            //   89e6                 | mov                 esi, esp

        $sequence_6 = { 48 85c0 7516 e8???????? 49 8907 48 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   e8????????           |                     
            //   49                   | dec                 ecx
            //   8907                 | mov                 dword ptr [edi], eax
            //   48                   | dec                 eax

        $sequence_7 = { e8???????? 89c5 85c0 0f850afeffff 41 83bd4c04000000 741a }
            // n = 7, score = 100
            //   e8????????           |                     
            //   89c5                 | mov                 ebp, eax
            //   85c0                 | test                eax, eax
            //   0f850afeffff         | jne                 0xfffffe10
            //   41                   | inc                 ecx
            //   83bd4c04000000       | cmp                 dword ptr [ebp + 0x44c], 0
            //   741a                 | je                  0x1c

        $sequence_8 = { 83ec68 48 89fb 48 8b05???????? 48 8b00 }
            // n = 7, score = 100
            //   83ec68               | sub                 esp, 0x68
            //   48                   | dec                 eax
            //   89fb                 | mov                 ebx, edi
            //   48                   | dec                 eax
            //   8b05????????         |                     
            //   48                   | dec                 eax
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_9 = { c70200000000 48 83c208 83c1f8 ffc6 75ee 662e0f1f840000000000 }
            // n = 7, score = 100
            //   c70200000000         | mov                 dword ptr [edx], 0
            //   48                   | dec                 eax
            //   83c208               | add                 edx, 8
            //   83c1f8               | add                 ecx, -8
            //   ffc6                 | inc                 esi
            //   75ee                 | jne                 0xfffffff0
            //   662e0f1f840000000000     | nop    word ptr cs:[eax + eax]

    condition:
        7 of them and filesize < 1346184
}
Download all Yara Rules