Recent cybersecurity investigations have unveiled that hackers affiliated with the North Korean government are employing a revamped variant of the backdoor malware known as Dtrack. This malware is specifically targeting a diverse array of sectors across multiple countries, including Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.
Kaspersky researchers Konstantin Zykov and Jornt van der Wiel detailed that Dtrack enables malicious actors to upload, download, initiate, or delete files on infected systems. The patterns of victimization suggest a marked expansion into Europe and Latin America, with sectors such as education, chemical manufacturing, government research centers, IT service providers, utility companies, and telecoms, all being potential targets of this persistent threat.
Also referred to as Valefor and Preft, Dtrack is the creation of Andariel, a subgroup under the notorious Lazarus nation-state threat actor. This actor is publicly monitored by the cybersecurity community and is known under a variety of operations, including Operation Troy and Silent Chollima. First identified in September 2019, Dtrack has previously been utilized in attacks, notably targeting a nuclear power facility in India and more recent ransomware incidents tied to the Maui group.
Industrial cybersecurity firm Dragos has attributed attacks against the nuclear facility to an entity it labels as WASSONITE, emphasizing the role of Dtrack in granting remote access to compromised networks. The latest insights from Kaspersky indicate enhancements in how this malware conceals itself within seemingly innocuous applications, utilizing three layers of encryption and obfuscation to hamper analysis efforts.
The process of infection culminates when the decrypted payload is injected into the Windows File Explorer process through a technique known as process hollowing. Key modules delivered via Dtrack include a keylogger, alongside functionalities for capturing screenshots and gathering detailed system information.
Kaspersky’s analysis underscores the active use of the Dtrack backdoor by the Lazarus group, demonstrating that modifications to its packaging highlight its ongoing significance to this adversary. Such developments may suggest a tactical emphasis on enhancing operational security to evade detection while maintaining a foothold in targeted networks.
In terms of tactics, the Dtrack attacks align with several techniques outlined in the MITRE ATT&CK framework. Potential adversarial actions may include initial access through drive-by compromise or exploitation of software vulnerabilities, persistence strategies via backdoors, and data collection through keystroke logging and data exfiltration. The use of such advanced malware illustrates the complexities faced by organizations in safeguarding their systems against state-sponsored cyber threats.
