Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent | |
.004 | Create or Modify System Process: Launch Daemon | |||
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.[2][1] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1036 | Masquerading |
The Dacls Mach-O binary has been disguised as a .nib file.[2] |
|
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
Enterprise | T1057 | Process Discovery |
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |