S0567 Dtrack
Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. 45231
| Item | Value |
|---|---|
| ID | S0567 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 25 January 2021 |
| Last Modified | 18 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | Dtrack packs collected data into a password protected archive.5 |
| enterprise | T1547 | Boot or Logon Autostart Execution | Dtrack’s RAT makes a persistent target file with auto execution on the host start.5 |
| enterprise | T1217 | Browser Information Discovery | Dtrack can retrieve browser history.53 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Dtrack has used cmd.exe to add a persistent service.3 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Dtrack can add a service called WBService to establish persistence.3 |
| enterprise | T1005 | Data from Local System | Dtrack can collect a variety of information from victim machines.3 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Dtrack can save collected data to disk, different file formats, and network shares.53 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Dtrack has used a decryption routine that is part of an executable physical patch.5 |
| enterprise | T1083 | File and Directory Discovery | Dtrack can list files on available disk volumes.53 |
| enterprise | T1574 | Hijack Execution Flow | One of Dtrack can replace the normal flow of a program execution with malicious code.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Dtrack can remove its persistence and delete itself.5 |
| enterprise | T1105 | Ingress Tool Transfer | Dtrack’s can download and upload a file to the victim’s computer.53 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Dtrack’s dropper contains a keylogging executable.5 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.009 | Embedded Payloads | Dtrack has used a dropper that embeds an encrypted payload as extra data.5 |
| enterprise | T1057 | Process Discovery | Dtrack’s dropper can list all running processes.53 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | Dtrack has used process hollowing shellcode to target a predefined list of processes from %SYSTEM32%.5 |
| enterprise | T1012 | Query Registry | Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.3 |
| enterprise | T1129 | Shared Modules | Dtrack contains a function that calls LoadLibrary and GetProcAddress.3 |
| enterprise | T1082 | System Information Discovery | Dtrack can collect the victim’s computer name, hostname and adapter information to create a unique identifier.53 |
| enterprise | T1016 | System Network Configuration Discovery | Dtrack can collect the host’s IP addresses using the ipconfig command.53 |
| enterprise | T1049 | System Network Connections Discovery | Dtrack can collect network and active connection information.5 |
| enterprise | T1078 | Valid Accounts | Dtrack used hard-coded credentials to gain access to a network share.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 4 |
References
-
Catalin Cimpanu. (2019, October 30). Confirmed: North Korean malware found on Indian nuclear plant’s network. Retrieved January 20, 2021. ↩
-
Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021. ↩↩
-
Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩