The Lazarus Group, the North Korean-linked hacking group believed to be behind in the spread of the WannaCry ransomware in 2017 and linked to a campaign targeting banks and financial institutions in 2018, is back again.

Now it’s targeting Linux systems alongside Windows. The new Lazarus campaign, detailed today by Qihoo 360 Netlab researchers, uses a remote-access Trojan virus dubbed Dacls.

First detected in May, it’s a new type of software that allows for remote code execution and enables the Lazarus Group to access file locations on a server. The Trojan is said to exploit a vulnerability first revealed in Atlassian Confluence in March, known as CVE-2019-3396. The infection path uses the vulnerability — a remote execution flaw in the Widget Connector macro in Atlassian Confluence server in versions 6.6.12 and below — to gain access and deploy Dacls for further malicious activity.

As ZDNet noted, that activity includes stealing, deleting and executing files; scanning directory structures, downloading additional payloads, killing processes, creating daemon process and uploading data including scan results and command execution output.

While currently exploiting a vulnerability in Atlassian Confluence, the method used opens the door to wider attacks.

“While this sequence relies on a successful exploit of CVE-2019-3396 it also highlights the reality of APTs – the primary attack mode is to gain traction within a system,” Tim Mackey, principal security strategist at electronic design automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE. “This means that any organization with an unpatched vulnerability enabling remote code execution could fall victim to a similar attack, but more importantly this risk extends far beyond traditional Linux computers.”

Linux is commonly used in servers, desktops and in the “internet of things” and embedded systems, Mackey explained.

“It is the IoT and significantly the IIoT space which should be particularly concerned with threats like Dacls.Linux as the embedded systems powering IoT devices tend to have long lifespans and not have commercial anti-malware solutions,” he said.

All organizations should do a robust review of all firmware for IoT devices, Mackey added. That includes looking for critical items like unpatched vulnerabilities in the libraries used to create the firmware, but also should include a detailed accounting for all external APIs and services the firmware communicates with.

Image: methodshop/Flickr