Home Articles Why Dtrack RAT Malware is a Threat for Indian Financial Institutions

Why Dtrack RAT Malware is a Threat for Indian Financial Institutions


Recently, a security firm discovered that Dtrack malware was targeting Indian banks. Read on to know more…

Recently, Kaspersky discovered the Dtrack spy tool when they were analyzing the ATMDtrack malware that was targeting Indian banks. The Dtrack RAT has been attributed to the Lazarus group, which is said to be fairly active in terms of malware development. The Dtrack RAT has been targeting Indian financial institutions and research centers with tools similar to those used in the 2013 Seoul campaigns.

The initially discovered Dtrack samples were observed to be dropped ones, because the real payloads were encrypted with various droppers. On decrypting the final payload, several similarities with the DarkSeoul campaign emerged. This led to the campaign being associated with the Lazarus group. Researchers from Kaspersky believe that a part of the old code was reused in the attacks against Indian financial sectors. Early September 2019 witnessed the last detected activity of the Dtrack RAT.

“Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centres.

“Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record keystrokes and conduct other actions typical of a malicious remote administration tool (RAT),” Kaspersky said in a statement.

Working Mechanism
The dropper has an encrypted payload embedded as an overlay of a PE file. The overlay data, when decrypted, contains an extra executable, process hollowing shellcode, and a list of predefined executable names.

• Its decryption routine has been observed to start between the start() and WinMain() functions.
• The malicious code is embedded into a binary that is a harmless executable such as the Visual Studio MFC project.
• Once the data is decrypted, the process hollowing code starts. It takes the name of the process to be hollowed as an argument.

The droppers were found to be containing several executables for spying purposes.

• A few payload executables were found to be capable of keylogging, listing running processes, listing files on all disk volumes, harvesting details about available networks and active connections, stealing host IP addresses, and keylogging.
• Some executables box the collected data into an archive that is password-protected and save it to the disk. Other executables send the data to their command-and-control server directly.

“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc,” said the researchers.

Although the ATMDtrack is a part of the Dtrack family, they both look different. The ATMDtrack samples are not encrypted, while the Dtrack comes with an encrypted payload within the dropper. Researchers also identified unique sequences that were common in the ATMDtrack and Dtrack memory dumps.

As the cyber-crooks are looking to gain partial control over the network for spying through the malicious campaign, security experts recommend companies to:

• Enhance network and password policies
• Use traffic monitoring software and antivirus solutions

Apart from these, companies should also be on the lookout for these Indicators Of Compromise (IOCs):
• 8f360227e7ee415ff509c2e443370e56
• 3a3bad366916aa3198fd1f76f3c29f24
• F84de0a584ae7e02fb0ffe679f96db8d


Please enter your comment!
Please enter your name here

+ 5 = 14