At a recent event in Delhi, Kaspersky discussed about its discovery of Dtrack, a previously unknown spytool which had been spotted in financial institutions and research centres.
In late summer of 2018, Kaspersky researchers discovered ATMDtrack – steal customer card data while using infected ATM. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples which had code sequence similarities with the ATMDtrack – but at the same time clearly were not aimed at ATMs. Instead their list of functions defined them as spy tools – now known as Dtrack. Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.
The Dtrack samples were detected from as many as 18 states in India, where 24% were found in Maharashtra, followed by Karnataka (18.5%) and Telangana (12%). The other main infected states include West Bengal, Uttar Pradesh, Tamil Nadu, Delhi, Kerala.
Dtrack can be used as a remote admin tool (RAT), giving threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes.
The event saw Mr. Konstantin Zykov, Security Researcher at Kaspersky’s Global Research and Analysis Team, Kaspersky explaining about Dtrack, “The large amount of Dtrack samples we found demonstrate that Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries and seeking to evade detection. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets.”
Saurabh Sharma, Senior Security Researcher (GReAT), Kaspersky (APAC), said, “With more than 243,000 online banking attacks in the beginning of 2019 and now with the discovery of Dtrack malware, organisations should consider the possibility of being attacked by a sophisticated threat actor and prepare accordingly. Along with the initiatives introduced by the government, it is also the organisations’ and users’ responsibility to be more cautious of such attacks.”
The newly discovered malware is active and based on Kaspersky telemetry, and is still used in cyberattacks.
To avoid being affected by malware, such as Dtrack RAT, Kaspersky recommends:
- Tightening their network and password policies,
- Performing regular security audit of an organization’s IT infrastructure
- Conducting regular security training sessions for staff
- Use traffic monitoring software, such as Kaspersky Anti Targeted Attack Platform (KATA)
- Use antivirus solutions
More information about Dtrack can be found on Securelist.
