DTrack Revised Version used by Lazarus Group
Researchers from Kaspersky came with a warning about North Korea-linked APT Lazarus using a new version of the DTrack backdoor to attack organizations in Europe and Latin America.
DTrack is a modular backdoor used by the Lazarus group, was employed in attacks against a wide variety of targets. It allows attackers to gather information from the infected host, and upload/download/manipulate files on the infected host, exfiltrate data, and execute commands.
The DTrack versions used in recent attacks are like past ones and are now employed to target a growing number of targets. The backdoor unpacking process is composed of several stages.
The second-stage malicious code is stored inside the malware PE file. DTrack retrieves the payload by reading it from an offset within the file or by reading it from a resource within the PE binary and the payload is heavily obfuscated shellcode, the APT group used an encryption method different for each sample.
Unlike previous DTrack variants, the one employed in the recent attacks could employ more than three-stages.
Once the final payload is decrypted, the malicious code leverages the process hollowing to load into explorer.exe. In recent campaigns is that the recent variants of the backdoor use three C2 servers instead of six.
Kaspersky reported attacks against entities in multiple industries, including education, chemical manufacturing, governmental research centers, and policy institutes, IT service providers, utility providers, and telecommunications.
Recent attacks hit entities in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.