Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

North Korean-Linked Dtrack RAT Discovered

An investigation into banking malware targeting India has led to the discovery of a new remote access Trojan (RAT) employed by the North Korean-linked Lazarus group, Kaspersky reports.

An investigation into banking malware targeting India has led to the discovery of a new remote access Trojan (RAT) employed by the North Korean-linked Lazarus group, Kaspersky reports.

Dubbed Dtrack, the Trojan was discovered during the analysis of ATMDtrack, a piece of malware that, once planted on ATMs, could read and store data from payment cards. During their investigation, Kaspersky’s security researchers discovered over 180 samples of Dtrack.

Initially, the payload was encrypted with various droppers. After decrypting the final payload, Kaspersky found similarities with the 2013 DarkSeoul campaign, which was attributed to the Lazarus group.

“It seems that they reused part of their old code to attack the financial sector and research centers in India. According to our telemetry, the last activity of DTrack was detected in the beginning of September 2019,” Kaspersky says.

Artifacts the researchers discovered during their analysis of the malware include an extra executable, process hollowing shellcode, and a list of predefined executable names, which the malware uses as a future process name.

During execution, data is decrypted, then process hollowing code is started, with the name of the process to be hollowed used as an argument (the name is chosen from the predefined list). The target of the process hollowing is suspended and its memory overwritten with the payload from the dropper overlay.

The droppers contain multiple executables, all meant to spy on the victim. The various Dtrack payload executables found include functionality such as keylogging, retrieving browser history, gathering host IP addresses, information about available networks and active connections, listing all running processes, and listing all files on all available disk volumes.

Some of the executables were designed to pack the collected data into a password protected archive and save it to the disk, while others would send the data to the command and control (C&C) server directly.

Advertisement. Scroll to continue reading.

The RAT contained by the droppers can download/upload files, achieve persistence for target files, dump disk volumes or folders and upload them to a host controlled by criminals, set an interval timeout value between new command checks, exit and remove the persistence and the binary itself, and execute processes on the victim machine.

The ATMDtrack malware, Kaspersky explains, is part of the Dtrack family. Both projects are the work of the same author, as they share style and also use the same implemented functions.

“Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development. They continue to develop malware at a fast pace and expand their operations,” Kaspersky concludes.

Related: Attacks on European Firms Suggest Return of “Dark Seoul” Group

Related: U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.