Skip to main content

Dacls Remote Access Trojan

First observed in October 2019, Dacls is a multi-platform modular remote access trojan believed to have been created by the Hidden Cobra advanced persistent threat group.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

First observed in October 2019, Dacls is a multi-platform modular remote access trojan believed to have been created by the Hidden Cobra advanced persistent threat group.


Threat details

At the time of publication, Hidden Cobra appear to be delivering Dacls manually by exploiting an Atlassian Confluence remote code execution vulnerability. The group then determines the operating system of the target server before downloading a Dacls binary from an opendir instance.

Once installed, Dacls will initiate a TLS session to a command and control (C2) server, before collecting system and user information. Using this information, the C2 server will instruct Dacls to download and install modules with specific functionalities, including:

  • File creation, deletion, extraction, and encryption.
  • Peer-to-peer and proxy network creation.
  • Local network numeration and traversal.
  • External IP address and port scanning.

For further information:


Threat updates

Date Update
14 May 2020

A new Dacls variant has been observed that is able to target macOS devices.


Remediation steps

Type Step

To prevent and detect a trojan infection, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, anti-virus and other security products are kept up-to-date.
  • Regular anti-virus and security scans are performed on your organisation’s estate.
  • All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from affected devices should be reset on a clean computer.
  • Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.


Indicators of compromise

Main indicators

IP Addresses

  • 107.172.197[.]175
  • 172.93.201[.]219
  • 192.210.213[.]178
  • 198.180.198[.]6
  • 209.90.234[.]34
  • 23.227.196[.]116
  • 23.227.199[.]53
  • 23.254.119[.]12
  • 23.81.246[.]179
  • 37.72.175[.]179
  • 64.188.19[.]117
  • 74.121.190[.]121
  • 67.43.239[.]146
  • 185.62.58[.]207
  • 50.87.144[.]227

URLs

  • areac-agr[.]com/cms/wp-content/uploads/2015/12/check.vm
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/hdata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/ldata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/mdata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/r.vm
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/rdata.dat
  • areac-agr[.]com/cms/wp-content/uploads/2015/12/sdata.dat
  • loneeaglerecords[.]com/wp-content/uploads/2020/01/images.tgz.001

MD5 File Hashes

  • 6de65fc57a4428ad7e262e980a7f6cc7
  • 80c0efb9e129f7f9b05a783df6959812
  • 8910bdaaa6d3d40e9f60523d3a34f914
  • 982bf527b9fe16205fea606d1beed7fa
  • a99b7ef095f44cf35453465c64f0c70c
  • bea49839390e4f1eb3cb38d0fcaf897e
  • cef99063e85af8b065de0ffa9d26cb03
  • e883bf5fd22eb6237eb84d80bbcf2ac9

SHA256 File Hashes

  • 899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53
  • 846d8647d27a0d729df40b13a644f3bffdc95f6d0e600f2195c85628d59f1dc6
  • 216a83e54cac48a75b7e071d0262d98739c840fd8cd6d0b48a9c166b69acd57d
  • d3235a29d254d0b73ff8b5445c962cd3b841f487469d60a02819c0eb347111dd

CVE Vulnerabilities

Last edited: 29 June 2021 11:57 am