Contents:
European and Latin American organizations are at risk. North Korean hacking group Lazarus is using a new version of the DTrack backdoor to target companies in these geographical areas.
Keylogger, screenshot snapper, browser history receivers, IP address, and network connection information snatcher, these are a few of the tools included in the backdoor, that apart from spying can also run commands to perform file operation, steal files and data, and execute processes on the compromised device.
Compared to the old version of the malware, the current version does not feature many changes, but it is now deployed far more widely.
Targeted Areas and Malware Spreading
As per BleepingComputer, DTrack activity was reported in countries such as Germany, Italy, Switzerland, India, Brazil, Turkey, Saudi Arabia, and the United States.
The industries that are being targeted include government research facilities, policy research organizations, chemical producers, IT service providers, telecom service providers, utility service providers, and educational institutions.
In this new campaign, DTrack has been observed distributed via filenames frequently connected to reliable executables. As in previous operations, the malware is still being deployed by breaking into networks using stolen credentials or by taking advantage of servers that are exposed to the Internet.
The malware loads its final payload via process hollowing into an “explorer.exe” process that is executed directly from memory after going through several decryption procedures when it is first launched.
The only two differences from previous DTrack versions are that it now loads libraries and functions using API hashes rather than obfuscated text and that the number of C2 servers has been reduced from six to only three.
Some of the uncovered C2 servers are: “purplebear[.]com”, “pinkgoat[.]com”, “purewatertokyo[.]com”, and “salmonrabbit[.]com”.
About Lazarus
The North Korean hacking group is already notorious in the world of threat actors. Active since 2009, Lazarus has been linked to ransomware campaigns, cryptocurrency scams, cyber espionage, and others.
The campaigns undergone by the group so far this year were enough to catapult them into first place when it comes to active threat groups. Two of the most notorious campaigns this year were the fake Crypto.com job offers and the FudModule Rootkit campaign used to abuse a Dell driver bug.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.