New DTrack Malware Hides Itself Inside A Legitimate Executable Program

The North Korean hackers carried out an attack on organizations in Europe and Latin America using a new version of the DTrack backdoor.

In addition to its modular nature, DTrack features the following key things:-

• A keylogger
• A screenshot snapper
• A browser history retriever
• A running processes snooper
• An IP address snatcher
• A network connection information snatcher

The Lazarus group has been using DTrack as a backdoor to access different systems. In spite of the fact that the backdoor was discovered three years ago, the threat actors are still using this backdoor today. The Lazarus group covers a wide range of targets with this backdoor.

DTrack Attribution

The security experts at Kaspersky security lab uncovered that the North Korean hacking group Lazarus is responsible for the activity. The threat actors utilize DTrack whenever profits are to be made from their activity, especially from financial sectors.

Researchers already detected the backdoor in August 2022 and linked it to a North Korean hacking group nicknamed ‘Andariel’. It was discovered that Andariel had deployed Maui ransomware on US and South Korean corporate networks.

Here below we have also mentioned all the stages involved:-

• First stage: implanted code

There are several stages involved in the process of unpacking malware by DTrack. By reading the payload from a file offset or from a resource within the PE binary, DTrack can retrieve the payload from a file. 

A second stage of the malware is stored within the PE file of the malware, and in order to obtain it, two methods can be used:-

• Offset based
• Resource-based

• Second stage: shellcode

As the name implies, the payload of the second-stage attack consists of the bulk of the attack, which is heavily obfuscated shellcode used in the primary payload of the attack. There is a difference between each sample regarding the encryption method used by the second layer.

• Third stage: shellcode and final binary

To make an analysis of the shellcode more challenging, the shellcode uses some quite interesting obfuscation tricks. 

Whenever the program starts, the first thing it accomplishes is to look for the beginning of the key in order to decrypt it. Shellcode decrypts the eight bytes immediately following the key once it has found the key. 

As part of the configuration information, this will serve as a second threshold for specifying the size and offset at which the payload should be entered into the system.

DTrack Victims 

This modular backdoor has been found to have been used to attack several countries, and the following is a list of the most popular ones:-

• Germany
• Brazil
• India
• Italy
• Mexico
• Switzerland
• Saudi Arabia
• Turkey
• United States

There is evidence that DTrack is spreading into new regions around the world, indicating the success of DTrack. Among the sectors targeted by the threat actors are:-

• Education
• Chemical manufacturing
• Government research centres
• Government policy institutes
• IT service providers
• Utility providers
• Telecommunications companies

Final payload

Following the decryption of the final payload, the DLL can be loaded into explorer.exe using a process hollowing method. While the libraries loaded by DTrack samples had previously been encoded as obfuscated strings.

The API hashing is used in the more recent versions of the software to ensure the correct libraries and functions are loaded. Additionally, there is a small change in the number of C2 servers used; that is, instead of six, three are used.

The DTrack backdoor is still actively used by Lazarus in their attacks against the network. This is a tool that has the capability to upload, download, launch or delete files on a victim’s system that can be used by criminals.

Azure Active Directory Security – Download Free E-Book