Infamous North Korean hacking collective Lazarus Group is using an updated version of its DTrack backdoor to target firms in Europe, and Latin America. The group is out for money, Kaspersky researchers are saying, as the campaign is purely driven by profit.
BleepingComputer (opens in new tab) has reported that the threat actors are using the updated DTrack to target companies in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.
The firms under fire include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education firms.
Modular backdoor
DTrack is described as a modular backdoor. It can log keystrokes, take screenshots, exfiltrate browser history, view running processes, and obtain network connection information.
It can also run different commands on the target endpoint, download additional malware, and exfiltrate data.
Post-update, DTrack now uses API hashing to load libraries and functions, instead of obfuscated strings and that it now uses just three command and control (C2) servers, compared to the previous six.
Some of the C2 servers Kaspersky uncovered as being used by the backdoor are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”
It also found that DTrack distributes malware labelled with file names usually associated with legitimate executables.
In one case, it was said, the backdoor was hiding behind “NvContainer.exe”, an executable file usually distributed by NVIDIA. The group would use stolen credentials to log into target networks, or would exploit internet-exposed servers to install the malware.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba