Lazarus APT uses DTrack backdoor in attacks against LATAM and European orgs

North Korea-linked Lazarus APT is using a new version of the DTrack backdoor in attacks aimed at organizations in Europe and Latin America.

North Korea-linked APT Lazarus is using a new version of the DTrack backdoor to attack organizations in Europe and Latin America, Kaspersky researchers warn.

DTrack is a modular backdoor used by the Lazarus group since 2019, it was employed in attacks against a wide variety of targets, from financial environments to a nuclear power plan.

DTrack allows attackers to gather information from the infected host, and upload/download/manipulate files on the infected host, exfiltrate data, and execute commands.

Experts noticed that the DTrack versions used in recent attacks are similar to past ones, however, it is now employed to target a growing number of targets.

The backdoor unpacking process is composed of several stages, the second-stage malicious code is stored inside the malware PE file. DTrack retrieves the payload by reading it from an offset within the file or by reading it from a resource within the PE binary.

The second stage payload is a heavily obfuscated shellcode, the APT group used an encryption method different for each sample.

Unlike previous DTrack variants, the one employed in the recent attacks could employ more than three stage payloads.

“One new aspect of the recent DTrack variants is that the third stage payload is not necessarily the final payload; there may be another piece of binary data consisting of a binary configuration and at least one shellcode, which in turn decrypts and executes the final payload.” continues the analysis.

Once the final payload (a DLL) is decrypted, the malicious code leverages the process hollowing to load into explorer.exe. Another difference in recent campaigns is that the recent variants of the backdoor uses three C2 servers instead of six.

Kaspersky reported attacks against entities in multiple industries, including education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications.

Recent attacks hit entities in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the United States.

“The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered.” concludes the report. “When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]