Delaware, USA – September 23, 2019 – Lazarus group expanded their toolset with Dtrack remote access trojan to attack research centers and financial organizations in India. Kaspersky Lab published the report describing the infection process and malware capabilities. Researchers discovered ATMDtrack malware used in attacks on Indian banks a year ago, and a search for similar malware brought them 180+ trojan samples, the most recent of Dtrack samples were used in attacks only a couple of weeks ago. Further analysis of the code allowed researchers to associate these attacks with the DarkSeoul campaign in 2013 attributed to the Lazarus group. Dtrack dropper hides in a legitimate portable executable. After launching, the process hollowing shellcode is activated targeting system processes. Having discovered the process from the predefined list, shellcode suspends it and overwrites its memory with the decrypted payload, and then resumes the process. In addition to the RAT component, researchers were able to discover a number of narrow-focused payloads that can steal browser history, list all files on drives, act as a keylogger, and more. Dtrack RAT is capable of uploading and downloading files, ensuring persistence to other group’s tools, dumping folders or disk volumes and uploading them to attacker’s server, and executing a process on the infected system.
Dtrack malware is probably used in the ongoing campaign after initial compromise to spy on victims avoiding detection by security solutions. Also, the number of malware samples created by North Korean hackers for a particular campaign is impressive. The available resources and the ability to quickly create the necessary tools based on past developments make the Lazarus group one of the most dangerous threat actors in cyberspace.
You can learn the known techniques used by the group in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/