The backdoor DTrack, widely used by the North Korean Lazarus group over the last three years, is still being deployed to target organizations in Europe and the US.
According to a new advisory by Kaspersky, DTrack has been used in financial environments to breach ATMs, in ransomware attacks and in campaigns against a nuclear power plant in India.
“DTrack allows criminals to upload, download, start or delete files on the victim host,” wrote Kaspersky security researchers Konstantin Zykov and Jornt van der Wiel.
Among the downloaded and executed files already found in the standard DTrack toolset, the company spotted a keylogger, a screenshot maker and a module for gathering victims' system information.
“With a toolset like this, criminals can implement lateral movement into the victims’ infrastructure in order to, for example, retrieve compromising information,” Zykov and van der Wiel added.
From a technical standpoint, Kaspersky said DTrack had not changed substantially over time, but the threat actors behind it made some “interesting” modifications.
“DTrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts,” reads the technical write-up.
After these stages, and once the final payload is decrypted, it is loaded using process hollowing into the explorer.exe process.
“In previous DTrack samples, the libraries to be loaded were obfuscated strings. In more recent versions, they use API hashing to load the proper libraries and functions. Another small change is that three C2 servers are used instead of six.”
Regarding targeted organizations, Kaspersky detected DTrack activity in Germany, Brazil, India, Mexico, Switzerland, Italy, Saudi Arabia, Turkey and the US. Affected sectors include education, chemical manufacturing, governmental research and policy institutes, as well as IT service providers, utility providers and telecommunications.
“The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset,” Kaspersky explained.
“Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.”
The Kaspersky advisory comes weeks after Microsoft spotted threat actors associated with Lazarus using open–source software to target employees in organizations across multiple industries.