The infamous North Korean hacker collective, Lazarus Group, is using an updated version of its DTrack backdoor to target companies in Europe and Latin America. The group is cash-strapped, Kaspersky researchers say, because the campaign is purely for profit.
BleepingComputer(Opens in a new tab) reported that threat actors are using the updated DTrack to attack companies in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.
Companies under fire include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunications providers, utility providers and education companies.
DTrack is described as a modular backdoor. You can log keystrokes, take screenshots, filter browser history, view running processes, and get network login information.
It can also run different commands on the target device, download additional malware and exfiltrate data.
After the update, DTrack now uses hashed APIs to load libraries and functions, instead of obfuscated strings, and only uses three command and control (C2) servers, up from six before.
Some of the C2 servers discovered by Kaspersky to be used by the backdoor are “pinkgoat[.]com”, “aguapuratokio[.]com”, “oso purple[.]com” and “salmonrabbit[.]com.”
It also discovered that DTrack distributes malware tagged with file names usually associated with legitimate executables.
In one case, it was said, the backdoor was hiding behind "NvContainer.exe," an executable file typically distributed by NVIDIA. The group would use stolen credentials to connect to target networks or exploit servers exposed to the Internet to install the malware.