Dacls Remote Access Trojan

Dacls is a multi-platform modular remote access trojan believed to have been created by the Hidden Cobra advanced persistent threat group.

At the time of publication, Hidden Cobra appear to be delivering Dacls manually by exploiting an Atlassian Confluence remote code execution vulnerability. The group then determines the operating system of the target server before downloading a Dacls binary from an opendir instance.

Once installed, Dacls will initiate a TLS session to a command and control (C2) server, before collecting system and user information. Using this information, the C2 server will instruct Dacls to download and install modules with specific functionalities, including:

  • File creation, deletion, extraction, and encryption.
  • Peer-to-peer and proxy network creation.
  • Local network numeration and traversal.
  • External IP address and port scanning.

Indicators of Compromise

IP Addresses

  • 107.172.197[.]175
  • 172.93.201[.]219
  • 192.210.213[.]178
  • 198.180.198[.]6
  • 209.90.234[.]34
  • 23.227.196[.]116
  • 23.227.199[.]53
  • 23.254.119[.]12
  • 23.81.246[.]179
  • 37.72.175[.]179
  • 64.188.19[.]117
  • 74.121.190[.]121

URLs

  • areac-agr[.]com/cms/wp-content/uploads/2015/12/check.vm
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/hdata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/ldata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/mdata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/r.vm
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/rdata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/sdata.dat

MD5 File Hashes

  • 6de65fc57a4428ad7e262e980a7f6cc7
  • 80c0efb9e129f7f9b05a783df6959812
  • 8910bdaaa6d3d40e9f60523d3a34f914
  • 982bf527b9fe16205fea606d1beed7fa
  • a99b7ef095f44cf35453465c64f0c70c
  • bea49839390e4f1eb3cb38d0fcaf897e
  • cef99063e85af8b065de0ffa9d26cb03
  • e883bf5fd22eb6237eb84d80bbcf2ac9

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: