According to a Kaspersky Lab report, the DTrack malware used by the Lazarus group has received an update and has spread around the world.
The DTrack backdoor was first discovered in 2019 and targets financial and energy organizations, as well as ATMs. DTrack allows cybercriminals to:
- modify, upload and exfiltrate files remotely;
- record keystrokes (built-in keylogger);
- create screenshots;
- collect information about the victim's system.
After 3 years, DTrack received updates and now it hides inside an executable file with a very obfuscated code that looks like a legitimate program. After the payload (DLL) is retrieved, it is loaded into "explorer.exe" using process handling to avoid detection.
Another small change is that instead of 6 C&C servers, 3 are used. In addition, now the domain names used for C&C servers contain colors and animal names.
Kaspersky Lab researchers have detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States, indicating that DTrack is spreading to different parts of the world.
The target sectors are education, chemical production, government research centers and political organizations, as well as IT service providers, utilities and telecommunications.
Microsoft previously said that the Lazarus group trojanizes open source software and uses it to create backdoors in technology, defense and media entertainment organizations. Microsoft has detailed how hackers use open source software and fake job offers to scam developers and IT professionals.