Threat Research

Dtrack expands its operations to Europe and Latin America

Securonix

DTrack is a Lazarus group backdoor used across a wide range of targets, including financial environments, a nuclear power plant, and targeted ransomware campaigns. The analysis highlights a multi-stage deployment with decryption and obfuscation, plus expanding reach into Europe and Latin America. #DTrack #Lazarus #ATMs #NuclearPowerPlant #Europe #LatinAmerica

Keypoints

  • DTrack is a Lazarus group backdoor active since 2019, observed against finance, energy, governmental, and IT sectors.
  • The malware uses a multi-stage architecture: first-stage implanted code, second-stage heavily obfuscated shellcode, and a configurable third-stage/final payload.
  • Payload retrieval uses offset-based or resource-based techniques within the PE binary, followed by decryption with a custom config.
  • Final payload is a DLL loaded via process hollowing into explorer.exe, with API hashing used to load libraries and functions.
  • The backdoor employs masquerading to appear as a legitimate program and uses staged decryption to complicate analysis.
  • Infrastructure shows color-animal domain patterns (pinkgoat, purplebear, salmonrabbit, purewatertokyo) with associated IPs and ASNs.
  • Victims span Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States across education, manufacturing, government research, IT services, utilities, and telecom sectors.

MITRE Techniques

  • [T1036] Masquerading – DTrack hides itself inside an executable that looks like a legitimate program (‘DTrack hides itself inside an executable that looks like a legitimate program’).
  • [T1140] Deobfuscate/Decode Files or Information – The second stage payload is described as heavily obfuscated (‘The second stage payload is heavily obfuscated shellcode’).
  • [T1027] Obfuscated/Compressed Files and Information – The encryption method used by the second layer differs for each sample, with modified RC4/RC5/RC6 algorithms (‘The encryption method used by the second layer differs for each sample. So far, we have spotted modified versions of RC4, RC5 and RC6 algorithms.’).
  • [T1055.012] Process Hollowing – Final payload is loaded using process hollowing into explorer.exe (‘final payload is loaded using process hollowing into explorer.exe’).
  • [T1056.001] Keylogging – The toolset includes a keylogger (‘there is a keylogger, a screenshot maker and a module for gathering victim system information’).
  • [T1113] Screen Capture – The toolset includes a screenshot capability (‘a screenshot maker’).
  • [T1082] System Information Discovery – The malware gathers victim system information (‘a module for gathering victim system information’).
  • [T1105] Ingress Tool Transfer – Upload/download capability described (‘upload, download, start or delete files on the victim host’).
  • [T1071.001] Web Protocols (Command and Control) – C2 usage evidenced by multiple domains and three C2 servers (‘three C2 servers are used instead of six’).

Indicators of Compromise

  • [Domain] C2 domains – pinkgoat.com, purplebear.com, and 2 more domains
  • [IP] C2 IPs – 64.190.63.111, 58.158.177.102, and 1 more IP
  • [MD5] Hashes – 1A74C8D8B74CA2411C1D3D22373A6769, 67F4DAD1A94ED8A47283C2C0C05A7594

Read more: https://securelist.com/dtrack-targeting-europe-latin-america/107798/