North Korean hackers are utilizing a brand new model of the DTrack backdoor to assault organizations in Europe and Latin America.
DTrack is a modular backdoor that includes a keylogger, a screenshot snapper, a browser historical past retriever, a working processes snooper, an IP handle and community connection data snatcher, and extra.
Other than spying, it will possibly additionally run instructions to carry out file operations, fetch extra payloads, steal recordsdata and information, and execute processes on the compromised system.
The brand new malware model would not characteristic many purposeful or code adjustments in comparison with samples analyzed previously, however it’s now deployed much more broadly.
A wider distribution
As Kaspersky explains in a report revealed right this moment, their telemetry reveals DTrack exercise in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and america.
The focused sectors embrace authorities analysis facilities, coverage institutes, chemical producers, IT service suppliers, telecommunication suppliers, utility service suppliers, and training.
Within the new marketing campaign, Kaspersky has seen DTrack distributed utilizing filenames generally related to legit executables.
For instance, one pattern they shared is distributed underneath the ‘NvContainer.exe’ file title, which is identical title as a legit NVIDIA file.
Kaspersky instructed BleepingComputer that DTrack continues to be put in by breaching networks utilizing stolen credentials or exploiting Web-exposed servers, as seen in earlier campaigns.
When launched, the malware goes by means of a number of decryption steps earlier than its last payload is loaded by way of course of hollowing into an “explorer.exe” course of, working instantly from reminiscence.
The one variations to previous DTrack variants are it now makes use of API hashing to load libraries and features as an alternative of obfuscated strings, and that the variety of C2 servers has been minimize by half to only three.
A few of the C2 servers uncovered by Kaspersky are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”
DTrack attribution
Kaspersky attributes this exercise to the North Korean Lazarus hacking group and claims the risk actors use DTrack each time they see the potential for monetary features.
In August 2022, the identical researchers linked the backdoor to the North Korean hacking group tracked as ‘Andariel,’ which deployed Maui ransomware in company networks within the U.S. and South Korea.
In February 2020, Dragos linked DTrack to a North Korean risk group, ‘Wassonite,’ which attacked nuclear power and oil and gasoline amenities.