Groupe Lazarus - Malware DTrack - Europe

Lazarus group targets Europe with DTrack malware

Kaspersky has released a new report that discusses DTrack, a malicious strain used by cybercriminals in North Korea to target organizations located primarily in Europe and Latin America.

Turns out DTrack is a backdoor with multiple features to spy on victims. Indeed, it plays the role of keylogger, but can also take screenshots, retrieve information about browsing history or running processes, etc. Beyond these functions, it can also execute commands, exfiltrate data and launch processes on the compromised machine. A very versatile piece of malware, after all.

This threat is not new, and we can say that it is making a comeback. This time, it seems to be distributed much more widely than in the past. Indeed, according to the report from Kasperskythe threat was identified in Europe (Germany, Italy, Switzerland, Turkey), in Latin America (Brazil, Mexico), as well as in Indeto UNITED STATES and in Saudi Arabia.

With regard to the sectors targeted, they are relatively varied since we are talking about political organizations, public services, schools, as well as chemical product manufacturers, IT service providers and companies specializing in telecoms. .

Kaspersky attributed this campaign of attacks to Lazarus, a group of cybercriminals from North Korea.

La distribution de DTrack

Through this new campaign, DTrack appears to be distributed using legitimate executable names. For instance, Kaspersky evokes the name “NvContainer.exe” used by Nvidiaexcept in this case it’s DTrack.

Ensuite, DTrack is deployed on compromised machines using stolen credentials (via a phishing campaign, for example) or by exploiting vulnerabilities in servers exposed to the Internet. Once DTrack is in place, the backdoor hides in an explorer.exe process.

Through an API, it connects to C2 servers in order to load various libraries. Kaspersky mentions the use of the following URLs: “pinkgoat[.]com”, “purewatertokyo[.]com”, “purplebear[.]com”, et “salmonrabbit[.]com.”

This threat could very well happen in France, if it hasn’t already happened… Since here it is an analysis specific to Kaspersky.

Source

Sécurité,

#Lazarus #group #targets #Europe #DTrack #malware

Leave a Comment

Your email address will not be published. Required fields are marked *