Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[1][2]

ID: S0497
Platforms: macOS, Linux, Windows
Version: 1.0
Created: 07 August 2020
Last Modified: 02 September 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Dacls can use HTTPS in C2 communications.[2][1]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Dacls can establish persistence via a LaunchAgent.[2][1]

.004 Create or Modify System Process: Launch Daemon

Dacls can establish persistence via a Launch Daemon.[2][1]

Enterprise T1083 File and Directory Discovery

Dacls can scan directories on a compromised host.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.[2][1]

Enterprise T1105 Ingress Tool Transfer

Dacls can download its payload from a C2 server.[2][1]

Enterprise T1036 Masquerading

The Dacls Mach-O binary has been disguised as a .nib file.[2]

Enterprise T1027 Obfuscated Files or Information

Dacls can encrypt its configuration file with AES CBC.[1]

Enterprise T1057 Process Discovery

Dacls can collect data on running and parent processes.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group