UPDATED 22:18 EST / DECEMBER 17 2019

28029344597_8a9a0f24e9_c SECURITY

Lazarus Group targets Linux systems in new remote-access virus campaign

The Lazarus Group, the North Korean-linked hacking group believed to be behind in the spread of the WannaCry ransomware in 2017 and linked to a campaign targeting banks and financial institutions in 2018, is back again.

Now it’s targeting Linux systems alongside Windows. The new Lazarus campaign, detailed today by Qihoo 360 Netlab researchers, uses a remote-access Trojan virus dubbed Dacls.

First detected in May, it’s a new type of software that allows for remote code execution and enables the Lazarus Group to access file locations on a server. The Trojan is said to exploit a vulnerability first revealed in Atlassian Confluence in March, known as CVE-2019-3396. The infection path uses the vulnerability — a remote execution flaw in the Widget Connector macro in Atlassian Confluence server in versions 6.6.12 and below — to gain access and deploy Dacls for further malicious activity.

As ZDNet noted, that activity includes stealing, deleting and executing files; scanning directory structures, downloading additional payloads, killing processes, creating daemon process and uploading data including scan results and command execution output.

While currently exploiting a vulnerability in Atlassian Confluence, the method used opens the door to wider attacks.

“While this sequence relies on a successful exploit of CVE-2019-3396 it also highlights the reality of APTs – the primary attack mode is to gain traction within a system,” Tim Mackey, principal security strategist at electronic design automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE. “This means that any organization with an unpatched vulnerability enabling remote code execution could fall victim to a similar attack, but more importantly this risk extends far beyond traditional Linux computers.”

Linux is commonly used in servers, desktops and in the “internet of things” and embedded systems, Mackey explained.

“It is the IoT and significantly the IIoT space which should be particularly concerned with threats like Dacls.Linux as the embedded systems powering IoT devices tend to have long lifespans and not have commercial anti-malware solutions,” he said.

All organizations should do a robust review of all firmware for IoT devices, Mackey added. That includes looking for critical items like unpatched vulnerabilities in the libraries used to create the firmware, but also should include a detailed accounting for all external APIs and services the firmware communicates with.

Image: methodshop/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.