North Korean hackers are utilizing a brand new model of the DTrack backdoor to assault organizations in Europe and Latin America.
DTrack is a modular backdoor together with keylogger, screenshot snapper, browser historical past catcher, operating course of spy, IP deal with and login data stealer community, and extra.
Aside from spying, it could possibly additionally execute instructions to carry out file operations, fetch extra payloads, steal information and knowledge, and run processes on the compromised gadget.
The brand new model of the malware doesn’t have many useful or code modifications in comparison with samples analyzed prior to now, however it’s now being deployed way more extensively.
A wider distribution
As Kaspersky explains in a report printed right this moment, their telemetry reveals DTrack exercise in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and america. .
Focused sectors embody authorities analysis facilities, coverage institutes, chemical producers, IT service suppliers, telecommunications suppliers, utility suppliers and schooling.
Within the new marketing campaign, Kaspersky noticed DTrack distributed utilizing filenames generally related to legit executables.
For instance, a pattern they shared is distributed underneath the file identify “NvContainer.exe”, which is identical identify as a legit NVIDIA file.
Kaspersky instructed BleepingComputer that DTrack continues to be put in by breaching networks utilizing stolen credentials or exploiting servers uncovered to the Web, as seen in earlier campaigns.
As soon as launched, the malware goes by means of a number of levels of decryption earlier than its ultimate payload is loaded through a course of burrowing into an “explorer.exe” course of, operating straight from reminiscence.
The one variations from older DTrack variants are that it now makes use of API hashing to load libraries and capabilities as a substitute of obfuscated strings, and the variety of C2 servers has been halved to only three.
A number of the C2 servers found by Kaspersky are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purple bear[.]com” and “salmonrabbit[.]com.”
Monitoring attribution
Kaspersky attributes this exercise to North Korean hacking group Lazarus and says menace actors use DTrack each time they see potential for monetary achieve.
In August 2022, the identical researchers linked the backdoor to the North Korean hacking group tracked as “Andariel”, which deployed Maui ransomware in company networks in america and South Korea.
In February 2020, Dragos linked DTrack to a North Korean menace group, “Wassonite”, which attacked nuclear energy and oil and fuel services.
Supply : https://information.google.com/__i/rss/rd/articles/CBMibmh0dHBzOi8vd3d3LmJsZWVwaW5nY29tcHV0ZXIuY29tL25ld3Mvc2VjdXJpdHkvbm9ydGgta29yZWFuLWhhY2tlcnMtdGFyZ2V0LWV1cm9wZWFuLW9yZ3Mtd2l0aC11cGRhdGVkLW1hbHdhcmUv0gFyaHR0cHM6Ly93d3cuYmxlZXBpbmdjb21wdXRlci5jb20vbmV3cy9zZWN1cml0eS9ub3J0aC1rb3JlYW4taGFja2Vycy10YXJnZXQtZXVyb3BlYW4tb3Jncy13aXRoLXVwZGF0ZWQtbWFsd2FyZS9hbXAv?oc=5
