Skip to content

S0567 Dtrack

Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. 45231

Item Value
ID S0567
Associated Names
Version 1.1
Created 25 January 2021
Last Modified 18 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data Dtrack packs collected data into a password protected archive.5
enterprise T1547 Boot or Logon Autostart Execution Dtrack’s RAT makes a persistent target file with auto execution on the host start.5
enterprise T1217 Browser Information Discovery Dtrack can retrieve browser history.53
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Dtrack has used cmd.exe to add a persistent service.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Dtrack can add a service called WBService to establish persistence.3
enterprise T1005 Data from Local System Dtrack can collect a variety of information from victim machines.3
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Dtrack can save collected data to disk, different file formats, and network shares.53
enterprise T1140 Deobfuscate/Decode Files or Information Dtrack has used a decryption routine that is part of an executable physical patch.5
enterprise T1083 File and Directory Discovery Dtrack can list files on available disk volumes.53
enterprise T1574 Hijack Execution Flow One of Dtrack can replace the normal flow of a program execution with malicious code.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Dtrack can remove its persistence and delete itself.5
enterprise T1105 Ingress Tool Transfer Dtrack’s can download and upload a file to the victim’s computer.53
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Dtrack’s dropper contains a keylogging executable.5
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.009 Embedded Payloads Dtrack has used a dropper that embeds an encrypted payload as extra data.5
enterprise T1057 Process Discovery Dtrack’s dropper can list all running processes.53
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Dtrack has used process hollowing shellcode to target a predefined list of processes from %SYSTEM32%.5
enterprise T1012 Query Registry Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.3
enterprise T1129 Shared Modules Dtrack contains a function that calls LoadLibrary and GetProcAddress.3
enterprise T1082 System Information Discovery Dtrack can collect the victim’s computer name, hostname and adapter information to create a unique identifier.53
enterprise T1016 System Network Configuration Discovery Dtrack can collect the host’s IP addresses using the ipconfig command.53
enterprise T1049 System Network Connections Discovery Dtrack can collect network and active connection information.5
enterprise T1078 Valid Accounts Dtrack used hard-coded credentials to gain access to a network share.3

Groups That Use This Software

ID Name References
G0032 Lazarus Group 4