- The Dtrack RAT has been attributed to the Lazarus group, which is said to be fairly active in terms of malware development.
- This RAT has been targeting Indian financial institutions and research centers with tools similar to those used in the 2013 Seoul campaigns.
Researchers from Kaspersky discovered the Dtrack spy tool when they were analyzing the ATMDtrack malware that was targeting Indian banks.
The initially discovered Dtrack samples were observed to be dropped ones, because the real payloads were encrypted with various droppers. On decrypting the final payload, several similarities with the DarkSeoul campaign emerged. This led to the campaign being associated with the Lazarus group.
Researchers believe that a part of the old code was reused in the attacks against Indian financial sectors. Early September 2019 witnessed the last detected activity of the Dtrack RAT.
What the research says
The dropper has an encrypted payload embedded as an overlay of a PE file. The overlay data, when decrypted, contains an extra executable, process hollowing shellcode, and a list of predefined executable names.
- Its decryption routine has been observed to start between the start() and WinMain() functions.
- The malicious code is embedded into a binary that is a harmless executable such as the Visual Studio MFC project.
- Once the data is decrypted, the process hollowing code starts. It takes the name of the process to be hollowed as an argument.
Looking at the dropper
The droppers were found to be containing several executables for spying purposes.
- A few payload executables were found to be capable of keylogging, listing running processes, listing files on all disk volumes, harvesting details about available networks and active connections, stealing host IP addresses, and keylogging.
- Some executables box the collected data into an archive that is password-protected and save it to the disk. Other executables send the data to their command-and-control server directly.
“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc,” said the researchers.
Dtrack vs ATMDtrack
Although the ATMDtrack is a part of the Dtrack family, they both look different. The ATMDtrack samples are not encrypted, while the Dtrack comes with an encrypted payload within the dropper.
However, once the Dtrack payload is decrypted, similar style and implemented functions suggest that the same developer is behind both pieces of malware. A striking example of this is the string manipulation function that checks for a CCS_ substring at the start of a parameter string and removes it to return a modified string. If the CCS_ substring is not present, the first byte is used as an XOR argument to return the decrypted string.
Researchers also identified unique sequences that were common in the ATMDtrack and Dtrack memory dumps.
Defending against Dtrack
As the criminals are looking to gain partial control over the network for spying through this campaign, security experts recommend companies to:
- Enhance network and password policies
- Use traffic monitoring software and antivirus solutions
Apart from these, companies should also be on the lookout for these indicators of compromise (IOCs):