North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America.
DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more.
Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device.
The new malware version doesn’t feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.
A wider distribution
As Kaspersky explains in a report published today, their telemetry shows DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States.
The targeted sectors include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education.
In the new campaign, Kaspersky has seen DTrack distributed using filenames commonly associated with legitimate executables.For example, one sample they shared is distributed under the ‘NvContainer.exe’ file name, which is the same name as a legitimate NVIDIA file.
Kaspersky told BleepingComputer that DTrack continues to be installed by breaching networks using stolen credentials or exploiting Internet-exposed servers, as seen in previous campaigns.When launched, the malware goes through multiple decryption steps before its final payload is loaded via process hollowing into an “explorer.exe” process, running directly from memory.
Read more about this at bleepingcomputer.com