The backdoor DTrack, broadly utilized by the North Korean Lazarus group during the last three years, remains to be being deployed to focus on organizations in Europe and the US.
Based on a brand new advisory by Kaspersky, DTrack has been utilized in monetary environments to breach ATMs, in ransomware assaults and in campaigns in opposition to a nuclear energy plant in India.
“DTrack permits criminals to add, obtain, begin or delete information on the sufferer host,” wrote Kaspersky safety researchers Konstantin Zykov and Jornt van der Wiel.
Among the many downloaded and executed information already present in the usual DTrack toolset, the corporate noticed a keylogger, a screenshot maker and a module for gathering victims’ system data.
“With a toolset like this, criminals can implement lateral motion into the victims’ infrastructure so as to, for instance, retrieve compromising data,” Zykov and van der Wiel added.
From a technical standpoint, Kaspersky stated DTrack had not modified considerably over time, however the menace actors behind it made some “attention-grabbing” modifications.
“DTrack hides itself inside an executable that appears like a authentic program, and there are a number of phases of decryption earlier than the malware payload begins,” reads the technical write-up.
After these phases, and as soon as the ultimate payload is decrypted, it’s loaded utilizing course of hollowing into the explorer.exe course of.
“In earlier DTrack samples, the libraries to be loaded had been obfuscated strings. In more moderen variations, they use API hashing to load the correct libraries and features. One other small change is that three C2 servers are used as an alternative of six.”
Relating to focused organizations, Kaspersky detected DTrack exercise in Germany, Brazil, India, Mexico, Switzerland, Italy, Saudi Arabia, Turkey and the US. Affected sectors embody training, chemical manufacturing, governmental analysis and coverage institutes, in addition to IT service suppliers, utility suppliers and telecommunications.
“The DTrack backdoor continues for use actively by the Lazarus group. Modifications in the way in which the malware is packed present that Lazarus nonetheless sees DTrack as an essential asset,” Kaspersky defined.
“Regardless of this, Lazarus has not modified the backdoor a lot since 2019, when it was initially found. When the victimology is analyzed, it turns into clear that operations have expanded to Europe and Latin America, a development we’re seeing increasingly more usually.”
The Kaspersky advisory comes weeks after Microsoft noticed menace actors related to Lazarus utilizing open–supply software program to focus on staff in organizations throughout a number of industries.
