Skip to content

S0497 Dacls

Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.12

Item Value
ID S0497
Associated Names
Type MALWARE
Version 1.0
Created 07 August 2020
Last Modified 02 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Dacls can use HTTPS in C2 communications.21
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent Dacls can establish persistence via a LaunchAgent.21
enterprise T1543.004 Launch Daemon Dacls can establish persistence via a Launch Daemon.21
enterprise T1083 File and Directory Discovery Dacls can scan directories on a compromised host.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.21
enterprise T1105 Ingress Tool Transfer Dacls can download its payload from a C2 server.21
enterprise T1036 Masquerading The Dacls Mach-O binary has been disguised as a .nib file.2
enterprise T1027 Obfuscated Files or Information Dacls can encrypt its configuration file with AES CBC.1
enterprise T1057 Process Discovery Dacls can collect data on running and parent processes.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 21

References

  1. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. 

  2. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.