North Korean hackers return with updated version of this dangerous malware
>
Notorious North Korean hacking collective Lazarus Group is using an updated version of its DTrack backdoor to target companies in Europe and Latin America. The group is out for money, say Kaspersky researchers, because the campaign is driven purely by profit.
Beeping computer (opens in new tab) has reported that the threat actors are using the updated DTrack to attack companies in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States.
The companies under attack include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunications providers, utilities and education companies.
Modular back door
DTrack is described as a modular backdoor. It can record keystrokes, take screenshots, exfiltrate browser history, view running processes and obtain network connection information.
It can also run various commands on the target endpoint, download additional malware and exfiltrate data.
After the update, DTrack now uses API hashing to load libraries and functions, instead of obfuscated strings, and now uses only three command and control (C2) servers, compared to the previous six.
Some of the C2 servers that Kaspersky discovered are being used through the back door are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purple bear[.]com”, and “salmon rabbit[.]come.”
It also discovered that DTrack proliferates malware tagged with filenames usually associated with legitimate executable files.
In one case, it was said, the backdoor was hiding behind “NvContainer.exe”, an executable file commonly distributed by NVIDIA. The group would use stolen credentials to log into target networks or exploit servers exposed on the internet to install the malware.