Hackers tied to the North Korean authorities have been observed working with an updated version of a backdoor identified as Dtrack focusing on a extensive assortment of industries in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the U.S.
“Dtrack enables criminals to upload, download, get started or delete data files on the target host,” Kaspersky researchers Konstantin Zykov and Jornt van der Wiel explained in a report.
The victimology patterns show an expansion to Europe and Latin America. Sectors qualified by the malware are schooling, chemical manufacturing, governmental analysis facilities and coverage institutes, IT support companies, utility providers, and telecommunication corporations.
Dtrack, also referred to as Valefor and Preft, is the handiwork of Andariel, a subgroup of the Lazarus country-condition menace actor which is publicly tracked by the broader cybersecurity neighborhood employing the monikers Operation Troy, Silent Chollima, and Stonefly.
Learned in September 2019, the malware has been earlier deployed in a cyber attack aimed at a nuclear electricity plant in India, with more modern intrusions employing Dtrack as component of Maui ransomware assaults.
Industrial cybersecurity enterprise Dragos has since attributed the nuclear facility attack to a danger actor it phone calls WASSONITE, pointing out the use of Dtrack for distant obtain to the compromised network.
The newest variations noticed by Kaspersky relate to how the implant conceals its existence in a seemingly legit system (“NvContainer.exe” or “XColorHexagonCtrlTest.exe”) and the use of 3 layers of encryption and obfuscation created to make investigation a lot more hard.
The remaining payload, on decryption, is subsequently injected into the Windows File Explorer procedure (“explorer.exe”) making use of a approach termed process hollowing. Chief among the modules downloaded through Dtrack is a keylogger as nicely as tools to capture screenshots and collect method information and facts.
“The Dtrack backdoor continues to be utilized actively by the Lazarus team,” the scientists concluded. “Modifications in the way the malware is packed present that Lazarus nonetheless sees Dtrack as an critical asset.”
Found this post interesting? Stick to THN on Fb, Twitter and LinkedIn to read much more special articles we write-up.
Some parts of this article are sourced from:
thehackernews.com