"Lazarus Backdoor DTrack Evolves to Target Europe and Latin America"

According to researchers at Kaspersky, the backdoor DTrack, widely used by the North Korean Lazarus group over the last three years, is still being deployed to target organizations in Europe and the US.  DTrack has been used in financial environments to breach ATMs, ransomware attacks, and campaigns against a nuclear power plant in India.  The researchers stated that DTrack allows criminals to upload, download, start or delete files on the victim host.  Among the downloaded and executed files already found in the standard DTrack toolset, the researchers spotted a keylogger, a screenshot maker, and a module for gathering victims' system information.  The researchers noted that with a toolset like this, criminals can implement lateral movement into the victims' infrastructure in order to, for example, retrieve compromising information.  From a technical standpoint, the researchers said that DTrack had not changed substantially over time, but the threat actors behind it made some "interesting" modifications.  The researchers stated that DTrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts.  After these stages, and once the final payload is decrypted, it is loaded using process hollowing into the explorer.exe process.  The researchers noted that in previous DTrack samples, the libraries to be loaded were obfuscated strings.  In more recent versions, they use API hashing to load the proper libraries and functions.  Another small change is that three C2 servers are used instead of six.  Regarding targeted organizations, Kaspersky detected DTrack activity in Germany, Brazil, India, Mexico, Switzerland, Italy, Saudi Arabia, Turkey, and the US.  Affected sectors include education, chemical manufacturing, governmental research and policy institutes, as well as IT service providers, utility providers, and telecommunications.

Infosecurity reports: "Lazarus Backdoor DTrack Evolves to Target Europe and Latin America"