Virtualization Technology News and Information
Article
RSS
DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers
Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims' systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).

In 2018, Kaspersky researchers discovered ATMDtrack - malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack. Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus - an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.

Dtrack can be used as a RAT, giving threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes.

Entities targeted by threat actors using Dtrack RAT often have weak network security policies and password standards, while also failing to track traffic across the organization. If successfully implemented, the spyware is able to list all available files and running processes, key logging, browser history and host IP addresses, including information about available networks and active connections.

The newly discovered malware is active and based on Kaspersky telemetry, and is still used in cyberattacks.

"Lazarus is a rather unusual nation state sponsored group. On one hand, as many other similar groups do, it focuses on conducting cyberespionage or sabotage operations. Yet on the other hand, it has also been found to influence attacks that are clearly aimed at stealing money. The latter is quite unique for such a high profile threat actor because generally, other actors do not have financial motivations in their operations," said Konstantin Zykov security researcher, Kaspersky Global Research and Analysis Team. "The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets. Even if you are a research center, or a financial organization that operates solely in commercial sector with no government affiliates, you should still consider the possibility of being attacked by a sophisticated threat actor in your threat model and prepare respectively."

Kaspersky products successfully detect and block the Dtrack malware.

To avoid being affected by malware, such as Dtrack RAT, Kaspersky recommends:

More information about the new malware used by Lazarus group can be found on Securelist.
Published Monday, September 23, 2019 10:11 AM by David Marshall
Filed under:
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<September 2019>
SuMoTuWeThFrSa
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345