DTrack activity targeting Europe and Latin America
Contents
Introduction
DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted ransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain.
DTrack allows criminals to upload, download, start or delete files on the victim host. Among those downloaded and executed files already spotted in the standard DTrack toolset there is a keylogger, a screenshot maker and a module for gathering victim system information. With a toolset like this, criminals can implement lateral movement into the victims’ infrastructure in order to, for example, retrieve compromising information.
As part of our crimeware reporting service, we published a new private report about recent …
DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power plant and also in targeted ransomware attacks. Essentially, anywhere the Lazarus group believes they can achieve some financial gain.
DTrack allows criminals to upload, download, start or delete files on the victim host. Among those downloaded and executed files already spotted in the standard DTrack toolset there is a keylogger, a screenshot maker and a module for gathering victim system information. With a toolset like this, criminals can implement lateral movement into the victims’ infrastructure in order to, for example, retrieve compromising information.
As part of our crimeware reporting service, we published a new private report about recent …
IoC
1A74C8D8B74CA2411C1D3D22373A6769
52.128.23.153
58.158.177.102
64.190.63.111
67F4DAD1A94ED8A47283C2C0C05A7594
http://pinkgoat.com
http://purewatertokyo.com
http://purplebear.com
http://salmonrabbit.com
52.128.23.153
58.158.177.102
64.190.63.111
67F4DAD1A94ED8A47283C2C0C05A7594
http://pinkgoat.com
http://purewatertokyo.com
http://purplebear.com
http://salmonrabbit.com