Summary
The backdoor DTrack, widely used by the North Korean Lazarus group over the last three years, is still being deployed to target organizations in Europe, the US and Latin America. According to Kaspersky, DTrack has been used in financial environments to breach ATMs in ransomware attacks and in campaigns against a nuclear power plant in India.
DTrack allows criminals to upload, download, start or delete files on the victim host. Among the tools available within DTrack toolset, there is a keylogger, a screenshot maker and a module for gathering victim system information.
The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed is an indication of how valuable this tool is for the Lazarus group.
IOCs
C2 domains
- pinkgoat[.]com
- purewatertokyo[.]com
- purplebear[.]com
- salmonrabbit[.]com
MD5
- 1A74C8D8B74CA2411C1D3D22373A6769
- 67F4DAD1A94ED8A47283C2C0C05A7594
SOD Actions
As part of the proactive actions, Security On-Demand is monitoring all our customers infrastructure thought the use of our platforms and the available indicators of compromise available for this tool. Also, SOD is constantly monitoring the web for any new IoC that might become available.
Please contact your Security On-Demand Customer Success Manager if you have any questions about this alert.
