North Korean hackers are utilizing a brand new model of the DTrack backdoor to assault organizations in Europe and Latin America.
DTrack is a modular backdoor that includes a keylogger, a screenshot snapper, a browser historical past retriever, a operating processes snooper, an IP handle and community connection data snatcher, and extra.
Aside from spying, it could actually additionally run instructions to carry out file operations, fetch further payloads, steal information and information, and execute processes on the compromised gadget.
The brand new malware model does not characteristic many purposeful or code adjustments in comparison with samples analyzed up to now, however it’s now deployed way more extensively.
A wider distribution
As Kaspersky explains in a report revealed at present, their telemetry reveals DTrack exercise in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the USA.
The focused sectors embrace authorities analysis facilities, coverage institutes, chemical producers, IT service suppliers, telecommunication suppliers, utility service suppliers, and training.
Within the new marketing campaign, Kaspersky has seen DTrack distributed utilizing filenames generally related to professional executables.
For instance, one sample they shared is distributed below the ‘NvContainer.exe’ file identify, which is identical identify as a professional NVIDIA file.
Kaspersky informed BleepingComputer that DTrack continues to be put in by breaching networks utilizing stolen credentials or exploiting Web-exposed servers, as seen in previous campaigns.
When launched, the malware goes by way of a number of decryption steps earlier than its closing payload is loaded by way of course of hollowing into an “explorer.exe” course of, operating immediately from reminiscence.
The one variations to previous DTrack variants are it now makes use of API hashing to load libraries and features as a substitute of obfuscated strings, and that the variety of C2 servers has been lower by half to simply three.
A number of the C2 servers uncovered by Kaspersky are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”
DTrack attribution
Kaspersky attributes this exercise to the North Korean Lazarus hacking group and claims the menace actors use DTrack every time they see the potential for monetary positive factors.
In August 2022, the identical researchers linked the backdoor to the North Korean hacking group tracked as ‘Andariel,’ which deployed Maui ransomware in company networks within the U.S. and South Korea.
In February 2020, Dragos linked DTrack to a North Korean menace group, ‘Wassonite,’ which attacked nuclear vitality and oil and gasoline amenities.
