An investigation into banking malware targeting India has led to the discovery of a new remote access Trojan (RAT) employed by the North Korean-linked Lazarus group, Kaspersky reports.
Dubbed Dtrack, the Trojan was discovered during the analysis of ATMDtrack, a piece of malware that, once planted on ATMs, could read and store data from payment cards. During their investigation, Kaspersky’s security researchers discovered over 180 samples of Dtrack.
Initially, the payload was encrypted with various droppers. After decrypting the final payload, Kaspersky found similarities with the 2013 DarkSeoul campaign, which was attributed to the Lazarus group.
“It seems that they reused part of their old code to attack the financial sector and research centers in India. According to our telemetry, the last activity of DTrack was detected in the beginning of September 2019,” Kaspersky says.
Artifacts the researchers discovered during their analysis of the malware include an extra executable, process hollowing shellcode, and a list of predefined executable names, which the malware uses as a future process name.
During execution, data is decrypted, then process hollowing code is started, with the name of the process to be hollowed used as an argument (the name is chosen from the predefined list). The target of the process hollowing is suspended and its memory overwritten with the payload from the dropper overlay.
The droppers contain multiple executables, all meant to spy on the victim. The various Dtrack payload executables found include functionality such as keylogging, retrieving browser history, gathering host IP addresses, information about available networks and active connections, listing all running processes, and li ..
Support the originator by clicking the read the rest link below.
