The infamous North Korean hacking collective Lazarus Group is using an updated version of its DTrack backdoor to attack companies in Europe and Latin America. Kaspersky researchers say the group is after money because the campaign is purely for profit.
Beeping Computer (opens in a new tab) reported that cybercriminals are using the updated DTrack to target companies in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States.
Companies under fire include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunications providers, utilities providers and education companies.
Modular backdoor
Dtrack is described as a modular backdoor. It can record keystrokes, take screenshots, exfiltrate browser history, view running processes and obtain network connection information.
It can also run various commands on the targeted endpoint, download additional malware and exfiltrate data.
After the update, Dtrack now uses API hashing to load libraries and functions, instead of obfuscated strings, and that it now only uses three command and control (C2) servers compared to the previous six.
Some of the C2 servers that Kaspersky discovered to be used by the backdoor include “pinkgoat[.]com”, “purewatertokyo[.]com”, “purple bear[.]com” and “salmon rabbit[.]com.”
DTrack has also been found to distribute malware marked with filenames usually associated with legitimate executables.
In one case, the backdoor was said to be hiding behind “NvContainer.exe”, an executable usually distributed by NVIDIA. The group used stolen credentials to log into targeted networks or used servers available on the Internet to install malware.