Latin American and European organisations face a new threat from North Korean hackers who utilise a new version of the DTrack backdoor. This malware is a modular backdoor that features a screenshot snapper, browser history grabber, keylogger, running processes reviewer, an IP address, and a network connection data harvester.
The new malware version does not feature many functional or code changes compared to the previous version that researchers analysed. However, the new DTrack backdoor variant is launched on a broader scale.
Researchers spotted the backdoor attacking countries from the Latin American region, such as Mexico. In addition, some parts of Europe, like Germany, Switzerland, and Brazil, suffered from the backdoor threat.
The operators of the DTrack backdoor target the critical sectors of a country.
Based on an investigation, the targeted sector of the DTrack backdoor operators includes policy institutes, chemical manufacturers, telecom providers, IT service providers, academic institutions, research centres, and policy institutes.
During the latest campaigns of the group, the researchers said that they backdoor via filenames that are usually connected to original executables. The best example of this distribution tactic is that the threat actors used a filename called NVContainer[.]exe. This archive is like a filename used by an original NVIDIA system file.
Furthermore, the DTrack backdoor is continuously spread by breaching networks using stolen credentials or abusing leaked servers from previous cybercriminal campaigns.
For DTrack’s execution, the malware goes through several decryption stages before its final payload is loaded through processing hollowing. After the hollowing process, the file turns into an “explorer[.]exe” process which runs directly from memory.
Hence, the only changes the previous DTrack variants have are the new usage of API hashing to load functions and libraries instead of hiding strings. The number of command-and-control servers, cut in half, turned into three.
Some of the command-and-control samples used by the new DTrack variant that the researchers spotted are the purewatertokyo[.]com, purplebear[.]com, pinkgoat[.]com, and salmonrabbit[.]com.
The researchers firmly believe that the new DTrack backdoor is heavily tied to the North Korean-backed Lazarus hacking group. Cybersecurity experts added that that these threat actors would use the backdoor against any target they want.
