Researchers from Kaspersky discovered the Dtrack spy tool when they were analyzing the ATMDtrack malware that was targeting Indian banks.
The initially discovered Dtrack samples were observed to be dropped ones, because the real payloads were encrypted with various droppers. On decrypting the final payload, several similarities with the DarkSeoul campaign emerged. This led to the campaign being associated with the Lazarus group.
Researchers believe that a part of the old code was reused in the attacks against Indian financial sectors. Early September 2019 witnessed the last detected activity of the Dtrack RAT.
What the research says
The dropper has an encrypted payload embedded as an overlay of a PE file. The overlay data, when decrypted, contains an extra executable, process hollowing shellcode, and a list of predefined executable names.
Looking at the dropper
The droppers were found to be containing several executables for spying purposes.
“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc,” said the researchers.
Dtrack vs ATMDtrack
Although the ATMDtrack is a part of the Dtrack family, they both look different. The ATMDtrack samples are not encrypted, while the Dtrack comes with an encrypted payload within the dropper.
However, once the Dtrack payload is decrypted, similar style and implemented functions suggest that the same developer is behind both pieces of malware. A striking example of this is the string manipulation function that checks for a CCS_ substring at the start of a parameter string and removes it to return a modified string. If the CCS_ substring is not present, the first byte is used as an XOR argument to return the decrypted string.
Researchers also identified unique sequences that were common in the ATMDtrack and Dtrack memory dumps.
Defending against Dtrack
As the criminals are looking to gain partial control over the network for spying through this campaign, security experts recommend companies to:
Apart from these, companies should also be on the lookout for these indicators of compromise (IOCs):