Hackers linked to the North Korean government have been observed using an updated version of a backdoor known as Dtrack targeting a wide range of industries in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States. USA. USA United States United States United States
“Dtrack allows criminals to upload, download, launch or delete files on the victim’s host,” Kaspersky researchers Konstantin Zykov and Jornt van der Wiel said in a report.
Victimology patterns indicate an expansion to Europe and Latin America. Industries targeted by malware are education, chemical manufacturing, government research centers and policy institutes, IT service providers, utility providers, and telecommunication companies.
Dtrack, also called Valefor and Preft, is the work of Andariel, a subgroup of nation-state threat actor Lazarus that is publicly tracked by the broader cybersecurity community using the monikers Operation Troy, Silent Chollima, and Stonefly.
Discovered in September 2019, the malware was previously deployed in a cyberattack targeting a nuclear power plant in India, with more recent intrusions using Dtrack as part of the Maui ransomware attacks.
Industrial cybersecurity firm Dragos has since attributed the attack on the nuclear facility to a threat actor it calls WASSONITE, pointing to the use of Dtrack for remote access to the compromised network.
The latest changes observed by Kaspersky relate to the way the implant hides its presence inside an apparently legitimate program (“NvContainer.exe” or “XColorHexagonCtrlTest.exe”) and the use of three layers of encryption and obfuscation designed to make it difficult to the analysis.
The final payload, after decryption, is subsequently injected into the Windows File Explorer process (“explorer.exe”) using a technique called process flushing. Chief among the modules downloaded through Dtrack is a keylogger, as well as tools for capturing screenshots and gathering system information.
“The Dtrack backdoor continues to be actively used by the Lazarus group,” the researchers concluded. “Changes in the way malware is packaged show that Lazarus still sees Dtrack as an important asset.”
