North Korean hacking group Lazarus Group is using DTrack malware as an important asset in its operations against a wide variety of targets. Recently, it has been found using a new modified variant of the DTrack backdoor to attack organizations in Europe and South America.

What’s new?

According to Kaspersky researchers, the latest DTrack variant doesn't feature many functional or code changes compared to samples analyzed in the past.
  • In this campaign, Dtrack hides inside legitimate-looking executable files, such as NvContainer.exe, which is the same as a legitimate NVIDIA file.
  • The latest variant uses API hashing to load the proper libraries and functions and the number of C2 servers has been cut by half to just three. The rest of the payload’s functionality is the same as the previous variants.

Decryption stages

There are several stages of decryption before the malware payload starts.
  • In the first stage, DTrack uses its offset-oriented retrieval function. 
  • The second stage is stored inside the malware PE file and consists of heavily obfuscated shellcode, different encryption methods, and modified versions of RC4, RC5, and RC6 algorithms.
  • The third stage payload can be the final payload (a DLL) that is decrypted and loaded via process hollowing into an explorer.exe process or it may further contain another piece of binary data consisting of a binary configuration and at least one shellcode, which, in turn, decrypts and executes the final payload.

Attack targets

DTrack continues to be installed by breaching networks using stolen credentials or exploiting Internet-exposed servers, however, it is now deployed far more widely.
  • It targets organizations in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the U.S. in its expanded operations.
  • It is targeting prominent sectors for financial gain that includes government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education.

Conclusion

Lazarus has launched numerous campaigns focused on disruption, sabotage, financial theft, and espionage over the years. Since 2019, it is using DTrack in several attacks and it can also facilitate lateral movement inside the victims’ networks. A prominent hacker group like Lazarus can do a lot more harm with DTrack. Organizations are recommended to use multilayered security solutions to get real-time protection against targeted attacks.
Cyware Publisher

Publisher

Cyware