Lazarus malware improved: now targeting Europe and Latin America

DTrack backdoor malware used by North Korean groups is deployed to target organizations in Europe and US

DTrack malware now spread around in Latin America and Europe

North Korean hackers now target organizations with the new version of the malware. DTrack is the backdoor that can be used for various features and is now deployed in systems related to European and Latin American organizations.^[1] The threat can run keylogging functions and get used as a screenshot snapper and browser history retriever. The malware runs process snooper, IP address, network connection information snatcher, and other functions.^[2]

Besides spying on these entities, the threat can also run commands to perform file operations, get additional payloads from the remote server and steal data from the affected machine or network. The infection can launch programs and processes on any of the affected devices.

This newly evolved malware piece lacks some of the primary features that were introduced with previous versions. There are code changes when compared to the previous samples that researchers managed to obtain and analyze in the past. However, according to recent reports,^[3] the new DTrack backdoor malware^[4] is deployed more widely.

The main difference from past versions is that the new variant uses API hashing to load libraries and functions. It was previously more focused on obfuscation strings; the number of c2 servers has been cut down to just three also.

The malware used in financial environments

The infection analysis shows that the threat widely spreads in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the US. These targets are in various sectors but mainly include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and even education.

The distribution of the infection seems to rely on filenames that are associated with common and legitimate executables. Those samples show the usage of NVIDIA file names that can be malicious and silently installed on the machine so people do not raise questions or suspicion.

The DTrack malware also gets installed when attackers breach networks using stolen credentials or exploit Internet-exposed servers. This is common from previous campaigns.^[5] The malware can go through various steps before the backdoor gets launched, so the process runs directly from memory.

Following the common trend

The particular malware has been linked with the North Korean hacker group Lazarus for many years. These cybercriminals use DTrack when they see potential financial gains. It is common for criminals to be financially motivated, especially when it comes to organizations.

Threats like backdoors can obtain data for later use in extortion campaigns and other purposes. Ransomware, for example, is used as a direct threat and a tool used for the money ransom demands. Researchers note that changing the target to Europe for financial gains is pretty common with threat actors and malware distributors nowadays.

Lazarus has not changed the backdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.

This backdoor has been linked with other North Korean actors known as Andariel that rely on Maui ransomware attacks against corporate networks in the US and South Korea. Also, this threat DTrack has been attributed to the Waasonite hackers, that is also from north Korea. This group is known to attack nuclear energy and oil, and gas facilities.