North Korean hackers return with updated version of this dangerous malware
DTrack is back and carrying new tweaks
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Infamous North Korean hacking collective Lazarus Group is using an updated version of its DTrack backdoor to target firms in Europe, and Latin America. The group is out for money, Kaspersky researchers are saying, as the campaign is purely driven by profit.
BleepingComputerhas reported that the threat actors are using the updated DTrack to target companies in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.
The firms under fire include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education firms.
Modular backdoor
DTrack is described as a modular backdoor. It can log keystrokes, take screenshots, exfiltrate browser history, view running processes, and obtain network connection information.
It can also run different commands on the targetendpoint, download additionalmalware, and exfiltrate data.
Lazarus hackers are using Log4j to hack US energy companies>Lazarus hackers target Dell drivers with new rootkit>Check out the best firewalls around
Post-update, DTrack now uses API hashing to load libraries and functions, instead of obfuscated strings and that it now uses just three command and control (C2) servers, compared to the previous six.
Some of the C2 servers Kaspersky uncovered as being used by the backdoor are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
It also found that DTrack distributes malware labelled with file names usually associated with legitimate executables.
In one case, it was said, the backdoor was hiding behind “NvContainer.exe”, an executable file usually distributed byNVIDIA. The group would use stolen credentials to log into target networks, or would exploit internet-exposed servers to install the malware.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Anker Nebula Mars 3 review: A powerful and truly portable projector
