North Korea-linked APT Lazarus is using a new version of the DTrack backdoor to attack organizations in Europe and Latin America, Kaspersky researchers warn.
What is Dtrack backdoor?
DTrack allows criminals to upload, download, start or delete files on the victim host,” wrote Kaspersky security researchers Konstantin Zykov and Jornt van der Wiel.
DTrack features the following key things:-
- A keylogger
- A screenshot snapper
- A browser history retriever
- A running processes snooper
- An IP address snatcher
- A network connection information snatcher
The Lazarus group has been using DTrack as a backdoor to access different systems. In spite of the fact that the backdoor was discovered three years ago, the threat actors are still using this backdoor today. The Lazarus group covers a wide range of targets with this backdoor.
It targets organizations in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the U.S. in its expanded operations
Dtrack Algorithm
- In the first stage, DTrack uses its offset-oriented retrieval function.
- The second stage is stored inside the malware PE file and consists of heavily obfuscated shellcode, different encryption methods, and modified versions of RC4, RC5, and RC6 algorithms.
- The third stage payload can be the final payload (a DLL) that is decrypted and loaded via process hollowing into an explorer.exe process
DTrack is spreading into new regions around the world, indicating the success of DTrack. Among the sectors targeted by the threat actors are:-
- Education
- Chemical manufacturing
- Government research centres
- Government policy institutes
- IT service providers
- Utility providers
- Telecommunications companies
IOCs
C2 domains
pinkgoat[.]com
purewatertokyo[.]com
purplebear[.]com
salmonrabbit[.]com
MD5
1A74C8D8B74CA2411C1D3D22373A6769
67F4DAD1A94ED8A47283C2C0C05A7594
Leave A Comment