The Context:
New malware is making headlines globally- The Dtrack RAT. Seen this month attacking victims in India, which is bent on financial gain and high-end spying. The malware is said to be traced back to North Korea- linked Lazarus Group APT. A related variant has also been discovered – ATMDtrack that was uncovered in 2018 by the Kaspersky researchers. Here’s what all the fuss is about.
Beware! Your ATM Transactions are being watched.
Dtrack vs. ATMDtrack:
As ATMDtrack is a part of the Dtrack family, they both look different. The ATMDtrack samples are not encrypted, while the Dtrack comes with an encrypted payload within the dropper.
Once the Dtrack payload is decrypted, a similar style is implemented, suggesting that the same developer is behind bothe pieces of malware. A striking example of this is the string manipulation function that checks for a CCS_substring at the start of a parameter string and removes it to return a modified string. If the CCS_substring is not present, the first byte is used as an XOR argument to return the decrypted string.
Researchers also identified unique sequences that were common in the ATMDtrack and Dtrack memory dumps. According to the researchers, the exact information about the infection of Dtrack is not yet determined.
What about Dtrack RAT?
ATMDtrack was designed to be planted on ATM’s where it could read and store data of the cards that are inserted into the machines. The researchers were able to find Dtrack because of the unique sequence shared by ATMDtrack and the Dtrack memory dumps.
The Initial discovered Dtrack samples were observed to be dropped ones because of the real payloads were encrypted with various droppers. On decrypting the final payload, several similarities with the DarkSeoul campaign emerged.
Dtrack can be used as a remote administration tool, giving threat actors to complete control over infected devices. Criminals then perform different operations such as uploading and downloading files and executing key processes. Entities targeted by threat actors using the Dtrack remote administration tool often have weak network security policies and password standards. They also fail to track traffic across the organizations.
Dtrack has an additional RAT executable that extends its functionality, including uploading and downloading files and folders and fetching more executables. According to the research expert at Kaspersky, both ATM malware and the spyware share the same provenance and operators due to ATMDtrack’s lack of encryption for its payload.
If the infection if successfully implemented, the spyware can list all available files and running processes, keylogging, browsing history, and hosting IP addresses. The successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets.
Dtrack RAT is active and is still used in cyberattacks.
The Impact:
Dtrack samples were found to be infected computers over 18 states in India. Maharashtra is at the top list of 18 Indian States where samples of Dtrack malware have been detected in financial institutions, raising significant concern for security systems. The maximum Dtrack samples were found in Maharashtra at 24%, followed by Karnataka at 18.5% and Telangana at 12%.
The other infected states include West Bengal, Uttar Pradesh, Tamil Nadu, Delhi, and Kerala, spotted in Indian financial institutions and research centers last year. The lastest information disclosed that the malware is ‘active’ and used in ‘cyber-attacks.’ Following a further investigation, the researchers found more than 180 new malware samples having the same code sequence similarities with ATMDtrack.
India’s largest civil Nuclear Facility at Kudankulam Nuclear Power Plant (KNPP) in Tamil Nadu, was breached according to the cybersecurity expert. The disclosure of the alleged incident was first triggered by a Twitter post on October 28 from an anonymous account, showing clues resembling Dtrack malware.
Defending against Dtrack:
As the criminals are looking to gain partial control over the network for spying through this campaign, you need to:
- Enhance network and password policies.
- Use traffic monitoring software and antivirus solutions.
This was all about the new Dtrack RAT fuss. If you are interested in learning more about day-to-day cyber attacks, head towards the blog section for more information. This brings me back to the recent high-risk trojan malware- Raccoon Stealer. A new kind of trojan malware is fast gaining currency among the cybercriminals for the capability to steal sensitive information like – credit card data, cryptocurrency wallets, and email credentials. This new trojan malware is dubbed as Raccoon Stealer. In this article, we will be gaining knowledge about the high-risk trojan malware and how can it be avoided. To know more, visit here !!
Stay Updated. Stay Protected!