An investigation into banking malware targeting India has led to the discovery of a new remote access Trojan (RAT) employed by the North Korean-linked Lazarus group, Kaspersky reports.
Dubbed Dtrack, the Trojan was discovered during the analysis of ATMDtrack, a piece of malware that, once planted on ATMs, could read and store data from payment cards. During their investigation, Kaspersky’s security researchers discovered over 180 samples of Dtrack.
Initially, the payload was encrypted with various droppers. After decrypting the final payload, Kaspersky found similarities with the 2013 DarkSeoul campaign, which was attributed to the Lazarus group.
“It seems that they reused part of their old code to attack the financial sector and research centers in India. According to our telemetry, the last activity of DTrack was detected in the beginning of September 2019,” Kaspersky says.
Artifacts the researchers discovered during their analysis of the malware include an extra executable, process hollowing shellcode, and a list of predefined executable names, which the malware uses as a future process name.
During execution, data is decrypted, then process hollowing code is started, with the name of the process to be hollowed used as an argument (the name is chosen from the predefined list). The target of the process hollowing is suspended and its memory overwritten with the payload from the dropper overlay.
The droppers contain multiple executables, all meant to spy on the victim. The various Dtrack payload executables found include functionality such as keylogging, retrieving browser history, gathering host IP addresses, information about available networks and active connections, listing all running processes, and listing all files on all available disk volumes.
Some of the executables were designed to pack the collected data into a password protected archive and save it to the disk, while others would send the data to the command and control (C&C) server directly.
The RAT contained by the droppers can download/upload files, achieve persistence for target files, dump disk volumes or folders and upload them to a host controlled by criminals, set an interval timeout value between new command checks, exit and remove the persistence and the binary itself, and execute processes on the victim machine.
The ATMDtrack malware, Kaspersky explains, is part of the Dtrack family. Both projects are the work of the same author, as they share style and also use the same implemented functions.
“Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development. They continue to develop malware at a fast pace and expand their operations,” Kaspersky concludes.
Related: Attacks on European Firms Suggest Return of “Dark Seoul” Group
Related: U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal