North Korean APT Using a New Version of DTrack Spyware

Kaspersky researchers reported on a new variant of DTrack spyware, which can track and steal sensitive details of targets anywhere.

They linked the new version’s usage by North Korean hackers, who’re using DTrack against companies in Europe and Latin America this time. This backdoor spyware will execute itself in the target’s system memory, thus staying in there longer period without being detected.

DTrack New Version

A North Korean hacking group called Lazarus is reportedly using a new version of DTrack – a backdoor malware that’s used for spying on targets and installing additional malware.

Detailing their operation, Kaspersky researchers said the hacking group is using DTrack against organizations in Latin America and Europe.

More specifically, they’re targeting government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, and education entities in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.

This backdoor malware can do a range of activities like keylogging, screenshot grabber, browser history retrieving, snooping on a running process, snatching IP address and network connection information, etc. Aside from these, it can also be used for executing remote commands on the target system.

Ransomware actors, too, use DTrack to install their payloads and encrypt the target’s systems. Well, it often masquerades with legitimate file names in the compromised device before unpacking in multiple steps and installing itself directly in the system memory.

Researchers noted that DTrack’s new version would sit in the compromised device as the “explorer.exe” process and spread through stolen credentials or exploiting the internet-exposed servers.

Well, the new version is said to be slightly different (making it better) when compared to the old one – with the latest one using API hashing to load libraries and functions instead of obfuscated strings. This effectively reduced the number of C2 servers to just three, which is half of what its previous variants used.

LEAVE A REPLY

Please enter your comment!
Please enter your name here