The Dtrack RAT has been attributed to the Lazarus group, which is said to be fairly active in terms of malware development. This RAT has been targeting Indian financial institutions and research centers with tools similar to those used in the 2013 Seoul campaigns. One of the recent tools believed to originate from the computers of the Lazarus Advanced Persistent Threat group is Dtrack RAT, a Remote Access Trojan that allows its operators to take almost complete control over infected computers. It is believed that the Dtrack RAT is related to ATMDtrack, a piece of ATM malware that was found on the computers of Indian banks in 2018. Both tools are developed and used by the Lazarus APT group, and it is likely that the ATMDtrack is a stripped-down version of the Dtrack RAT.
The dropper has an encrypted payload embedded as an overlay of a PE file. The overlay data, when decrypted, contains an extra executable, process hollowing shellcode, and a list of predefined executable names. Its decryption routine has been observed to start between the start() and WinMain() functions. The malicious code is embedded into a binary that is a harmless executable such as the Visual Studio MFC project. Once the data is decrypted, the process hollowing code starts. It takes the name of the process to be hollowed as an argument.
When the Dtrack RAT is initialized, it will connect to the pre-configured address used for a Command & Control server immediately. The RAT checks for new commands at a specific time interval, and executes all pending tasks immediately. The attacker can configure the time interval between command checks, and they also can:
- Upload or download files to the compromised computer and launch them.
- Grant startup persistence to files they choose.
- Copy the contents of a folder, partition, or hard drive to their control server.
- Update the Dtrack RAT or remove it.
The number of victims affected by the Dtrack RAT is still very low, and cybersecurity experts have not been able to identify a precise security hole that the Lazarus hackers might have used to deliver the threatening program. It is likely that they attempt to exploit vulnerable services and software, unpatched operating systems, or poorly secured networks.
Defending against Dtrack
As the criminals are looking to gain partial control over the network for spying through this campaign, security experts recommend companies to:
- Enhance network and password policies
- Use traffic monitoring software and antivirus solutions
For more Cybersecurity Information contact us at firstname.lastname@example.org