Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

North Korean-Linked Dtrack RAT Discovered

An investigation into banking malware targeting India has led to the discovery of a new remote access Trojan (RAT) employed by the North Korean-linked Lazarus group, Kaspersky reports.

An investigation into banking malware targeting India has led to the discovery of a new remote access Trojan (RAT) employed by the North Korean-linked Lazarus group, Kaspersky reports.

Dubbed Dtrack, the Trojan was discovered during the analysis of ATMDtrack, a piece of malware that, once planted on ATMs, could read and store data from payment cards. During their investigation, Kaspersky’s security researchers discovered over 180 samples of Dtrack.

Initially, the payload was encrypted with various droppers. After decrypting the final payload, Kaspersky found similarities with the 2013 DarkSeoul campaign, which was attributed to the Lazarus group.

“It seems that they reused part of their old code to attack the financial sector and research centers in India. According to our telemetry, the last activity of DTrack was detected in the beginning of September 2019,” Kaspersky says.

Artifacts the researchers discovered during their analysis of the malware include an extra executable, process hollowing shellcode, and a list of predefined executable names, which the malware uses as a future process name.

During execution, data is decrypted, then process hollowing code is started, with the name of the process to be hollowed used as an argument (the name is chosen from the predefined list). The target of the process hollowing is suspended and its memory overwritten with the payload from the dropper overlay.

The droppers contain multiple executables, all meant to spy on the victim. The various Dtrack payload executables found include functionality such as keylogging, retrieving browser history, gathering host IP addresses, information about available networks and active connections, listing all running processes, and listing all files on all available disk volumes.

Advertisement. Scroll to continue reading.

Some of the executables were designed to pack the collected data into a password protected archive and save it to the disk, while others would send the data to the command and control (C&C) server directly.

The RAT contained by the droppers can download/upload files, achieve persistence for target files, dump disk volumes or folders and upload them to a host controlled by criminals, set an interval timeout value between new command checks, exit and remove the persistence and the binary itself, and execute processes on the victim machine.

The ATMDtrack malware, Kaspersky explains, is part of the Dtrack family. Both projects are the work of the same author, as they share style and also use the same implemented functions.

“Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development. They continue to develop malware at a fast pace and expand their operations,” Kaspersky concludes.

Related: Attacks on European Firms Suggest Return of “Dark Seoul” Group

Related: U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.