Dacls Remote Access Trojan
Dacls is a multi-platform modular remote access trojan believed to have been created by the Hidden Cobra advanced persistent threat group.
At the time of publication, Hidden Cobra appear to be delivering Dacls manually by exploiting an Atlassian Confluence remote code execution vulnerability. The group then determines the operating system of the target server before downloading a Dacls binary from an opendir instance.
Once installed, Dacls will initiate a TLS session to a command and control (C2) server, before collecting system and user information. Using this information, the C2 server will instruct Dacls to download and install modules with specific functionalities, including:
- File creation, deletion, extraction, and encryption.
- Peer-to-peer and proxy network creation.
- Local network numeration and traversal.
- External IP address and port scanning.
Indicators of Compromise
IP Addresses
- 107.172.197[.]175
- 172.93.201[.]219
- 192.210.213[.]178
- 198.180.198[.]6
- 209.90.234[.]34
- 23.227.196[.]116
- 23.227.199[.]53
- 23.254.119[.]12
- 23.81.246[.]179
- 37.72.175[.]179
- 64.188.19[.]117
- 74.121.190[.]121
URLs
- areac-agr[.]com/cms/wp-content/uploads/2015/12/check.vm
- areac-agr[.]com/cms/wp-content/uploads/2015/12/hdata.dat
- areac-agr[.]com/cms/wp-content/uploads/2015/12/ldata.dat
- areac-agr[.]com/cms/wp-content/uploads/2015/12/mdata.dat
- areac-agr[.]com/cms/wp-content/uploads/2015/12/r.vm
- areac-agr[.]com/cms/wp-content/uploads/2015/12/rdata.dat
- areac-agr[.]com/cms/wp-content/uploads/2015/12/sdata.dat
MD5 File Hashes
- 6de65fc57a4428ad7e262e980a7f6cc7
- 80c0efb9e129f7f9b05a783df6959812
- 8910bdaaa6d3d40e9f60523d3a34f914
- 982bf527b9fe16205fea606d1beed7fa
- a99b7ef095f44cf35453465c64f0c70c
- bea49839390e4f1eb3cb38d0fcaf897e
- cef99063e85af8b065de0ffa9d26cb03
- e883bf5fd22eb6237eb84d80bbcf2ac9
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.