An espionage malware called Dtrack – and a related variant, ATMDtrack – has been traced back to the notorious North Korea-linked Lazarus Group APT. Both have been identified this month targeting victims in India.
According to researcher Konstantin Zykov of Kaspersky, researchers first uncovered ATMDtrack in 2018, which is designed to be planted on ATMs, where it can read and store the data of cards that are inserted into the machines. Further investigation into ATMDtrack uncovered related samples of a much more capable malware: Dtrack.
Dtrack is a remote access trojan (RAT) that boasts more than 180 different variants and a raft of spy functions.
“We were able to find [Dtrack] because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps,” explained Zykov, in a blog post on Monday. “After that, it got very interesting, because once we decrypted the final payload…we saw similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus Group. It seems that they reused part of their old code to attack the financial sector and research centers in India.”
According to the analysis, the malware authors embedded the malicious code into various harmless executables, including the default Visual Studio MFC project in Windows. Once triggered, it starts a process-hollowing routine whose memory is overwritten with a decrypted executable Dtrack payload from a dropper overlay.
Once installed, Dtrack can carry out a variety of functions including: keylogging; retrieving browser history; gathering host IP addresses, information about available networks and active connections; listing all running processes; and listing all files on all available disk volumes. Some of the information is saved to disk, while other data is sent out to a command-and-control (C2) server.
It also has an additional RAT executable that extends its functionality, including uploading and downloading files and folders, and fetching more executables.
Zykov noted that despite differences (such as ATMDtrack’s lack of encryption for its payload), both the ATM malware and the spyware share the same provenance and operators.
“After decrypting the Dtrack payload, it becomes clear that the developers are the same group of people: Both projects have the same style and use the same implemented functions,” he wrote. “The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.”
All of this also tied the malware back to the North Korean-linked hacking group, which was recently sanctioned by the U.S. for its role in the 2017 WannaCry attacks, among other high-profile activity. Much of Lazarus Group’s efforts are targeted at raising money for the regime in Pyongyang, but high-level espionage is also on their to-do list.
“The Lazarus Group is one of the most active APT groups in terms of malware development,” Zykov said. “They continue to develop malware at a fast pace and expand their operations. We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers. And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.
