Heimdal
article featured image

Contents:

European and Latin American organizations are at risk. North Korean hacking group Lazarus is using a new version of the DTrack backdoor to target companies in these geographical areas.

Keylogger, screenshot snapper, browser history receivers, IP address, and network connection information snatcher, these are a few of the tools included in the backdoor, that apart from spying can also run commands to perform file operation, steal files and data, and execute processes on the compromised device.

Compared to the old version of the malware, the current version does not feature many changes, but it is now deployed far more widely.

Targeted Areas and Malware Spreading

As per BleepingComputer, DTrack activity was reported in countries such as Germany, Italy, Switzerland, India, Brazil, Turkey, Saudi Arabia, and the United States.

The industries that are being targeted include government research facilities, policy research organizations, chemical producers, IT service providers, telecom service providers, utility service providers, and educational institutions.

In this new campaign, DTrack has been observed distributed via filenames frequently connected to reliable executables. As in previous operations, the malware is still being deployed by breaking into networks using stolen credentials or by taking advantage of servers that are exposed to the Internet.

The malware loads its final payload via process hollowing into an “explorer.exe” process that is executed directly from memory after going through several decryption procedures when it is first launched.

The only two differences from previous DTrack versions are that it now loads libraries and functions using API hashes rather than obfuscated text and that the number of C2 servers has been reduced from six to only three.

Some of the uncovered C2 servers are: “purplebear[.]com”, “pinkgoat[.]com”, “purewatertokyo[.]com”, and “salmonrabbit[.]com”.

About Lazarus

The North Korean hacking group is already notorious in the world of threat actors. Active since 2009, Lazarus has been linked to ransomware campaigns, cryptocurrency scams, cyber espionage, and others.

The campaigns undergone by the group so far this year were enough to catapult them into first place when it comes to active threat groups. Two of the most notorious campaigns this year were the fake Crypto.com job offers and the FudModule Rootkit campaign used to abuse a Dell driver bug.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE