Lazarus’ Dtrack marathon
Contents
From breaching financial institutions worldwide to organisations in the aerospace sector, as well as compromising the Kudankulam Nuclear Power Plant in late 2019, Lazarus Group conducted multiple high-profile operations in the past year. Tying together the threat actor’s espionage and financially-motivated intrusions has been one tool in particular: Dtrack. In this talk, we will take attendees on our journey analysing the Dtrack remote access trojan, and discuss how the hunt for Dtrack led us to further discoveries: a dropper family PwC calls TrackDrop, and further connections between Lazarus Group and the related threat actor known as Andariel. To tread the path of that journey, paved with indicators of compromise, we’ll provide a reverse-engineering analysis of the Dtrack RAT and its defining features and capabilities. Starting with a few samples created in 2019, we’ll explain how we hunted Dtrack samples back in time - back to its roots in 2014. We’ll …