Cybersecurity researchers discovered previously unknown spyware called Dtrack in Indian financial institutions and research centres. Dtrack was reportedly created by Lazarus Group, a hacking group linked to North Korea. Lazarus Group is also suspected to be the mastermind behind the WannaCry ransomware, the 2017 global cyberattack that targeted computers running Windows operating system by encrypting data and demanding ransom in Bitcoin. Dtrack is used as a remote administration tool (RAT) to carry out malicious activities, record keystrokes and upload/download files to victims' computers.
Last year, a Russian cybersecurity firm Kaspersky discovered ATMDtrack malware that was created to infiltrate Indian ATMs and steal customer card data. Following the investigation, researchers found more than 180 new malware samples similar to ATMDtrack but not aimed at ATMs. Instead, they were operating as spy tools now known as Dtrack. Researchers not only found striking similarities between ATMDtrack and Dtrack but also they shared similarities with the 2013 DarkSeoul campaign was attributed to Lazarus, responsible for multiple cyberespionage and cyber-sabotage operations.
Dtrack lets hackers complete control over infected devices to further upload and download files on victims' computers and executing key processes. Dtrack RAT can infiltrate systems with weak network security policies and password standards. Once implemented, it can access all available files and running processes, keylogging, browser history and host IP addresses, including information about available networks and active connections. The newly discovered malware is active and is still used in cyberattacks.
"Successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets. Even if you are a research centre or a financial organisation that operates solely in commercial sector with no government affiliates, you should still consider the possibility of being attacked by a sophisticated threat actor in your threat model and prepare respectively," said Konstantin Zykov security researcher at Kaspersky’s Global Research and Analysis Team.
Experts describe Lazarus as a rather unusual nation state-sponsored group as it focuses on conducting cyber espionage or sabotage operations. It has also been found to influence attacks that are aimed at stealing money, experts say. Lazarus is said to be one of the most active APT groups, continually developing and evolving threats in a bid to affect large-scale industries.