North Korea-linked APT Lazarus is using a new version of the DTrack backdoor to attack organizations in Europe and Latin America, Kaspersky researchers warn.
What is Dtrack backdoor?
DTrack allows criminals to upload, download, start or delete files on the victim host,” wrote Kaspersky security researchers Konstantin Zykov and Jornt van der Wiel.
DTrack features the following key things:-
- A keylogger
- A screenshot snapper
- A browser history retriever
- A running processes snooper
- An IP address snatcher
- A network connection information snatcher
The Lazarus group has been using DTrack as a backdoor to access different systems. In spite of the fact that the backdoor was discovered three years ago, the threat actors are still using this backdoor today. The Lazarus group covers a wide range of targets with this backdoor.
It targets organizations in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the U.S. in its expanded operations
- In the first stage, DTrack uses its offset-oriented retrieval function.
- The second stage is stored inside the malware PE file and consists of heavily obfuscated shellcode, different encryption methods, and modified versions of RC4, RC5, and RC6 algorithms.
- The third stage payload can be the final payload (a DLL) that is decrypted and loaded via process hollowing into an explorer.exe process
DTrack is spreading into new regions around the world, indicating the success of DTrack. Among the sectors targeted by the threat actors are:-
- Chemical manufacturing
- Government research centres
- Government policy institutes
- IT service providers
- Utility providers
- Telecommunications companies