Wednesday, November 16, 2022
HomeCyber SecurityNorth Korean hackers goal European orgs with up to date malware

North Korean hackers goal European orgs with up to date malware


North Korean hackers are utilizing a brand new model of the DTrack backdoor to assault organizations in Europe and Latin America.

DTrack is a modular backdoor that includes a keylogger, a screenshot snapper, a browser historical past retriever, a working processes snooper, an IP handle and community connection data snatcher, and extra.

Other than spying, it will possibly additionally run instructions to carry out file operations, fetch extra payloads, steal recordsdata and information, and execute processes on the compromised system.

The brand new malware model would not characteristic many purposeful or code adjustments in comparison with samples analyzed previously, however it’s now deployed much more broadly.

A wider distribution

As Kaspersky explains in a report revealed right this moment, their telemetry reveals DTrack exercise in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and america.

The focused sectors embrace authorities analysis facilities, coverage institutes, chemical producers, IT service suppliers, telecommunication suppliers, utility service suppliers, and training.

Within the new marketing campaign, Kaspersky has seen DTrack distributed utilizing filenames generally related to legit executables.

For instance, one pattern they shared is distributed underneath the ‘NvContainer.exe’ file title, which is identical title as a legit NVIDIA file.

Kaspersky instructed BleepingComputer that DTrack continues to be put in by breaching networks utilizing stolen credentials or exploiting Web-exposed servers, as seen in earlier campaigns.

When launched, the malware goes by means of a number of decryption steps earlier than its last payload is loaded by way of course of hollowing into an “explorer.exe” course of, working instantly from reminiscence.

Chunk decryption routine
Chunk decryption routine (Kaspersky)

The one variations to previous DTrack variants are it now makes use of API hashing to load libraries and features as an alternative of obfuscated strings, and that the variety of C2 servers has been minimize by half to only three.

A few of the C2 servers uncovered by Kaspersky are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”

DTrack attribution

Kaspersky attributes this exercise to the North Korean Lazarus hacking group and claims the risk actors use DTrack each time they see the potential for monetary features.

In August 2022, the identical researchers linked the backdoor to the North Korean hacking group tracked as ‘Andariel,’ which deployed Maui ransomware in company networks within the U.S. and South Korea.

In February 2020, Dragos linked DTrack to a North Korean risk group, ‘Wassonite,’ which attacked nuclear power and oil and gasoline amenities.



Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments