Infamous North Korean hacking collective Lazarus Group is using an updated version of its DTrack backdoor to target firms in Europe and Latin America. The group is out for money, Kaspersky researchers are saying, as the campaign is purely driven by profit.
BleepingComputer (opens in new tab) has reported that the threat actors are using the updated DTrack to target companies in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.
The firms under fire include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education firms.
DTrack is described as a modular backdoor. It can log keystrokes, take screenshots, exfiltrate browser history, view running processes, and obtain network connection information.
It can also run different commands on the target endpoint, download additional malware, and exfiltrate data.
Post-update, DTrack now uses API hashing to load libraries and functions, instead of obfuscated strings and that it now uses just three command and control (C2) servers, compared to the previous six.
Some of the C2 servers Kaspersky uncovered as being used by the backdoor are “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, and “salmonrabbit[.]com.”
It also found that DTrack distributes malware labeled with file names usually associated with legitimate executables.
In one case, it was said, the backdoor was hiding behind “NvContainer.exe”, an executable file usually distributed by NVIDIA. The group would use stolen credentials to log into target networks, or would exploit internet-exposed servers to install the malware.