1. Home
  2. Software
  3. Dtrack

Dtrack

Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. [1][2][3][4][5]

ID: S0567
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 25 January 2021
Last Modified: 18 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Dtrack can collect a variety of information from victim machines.[4]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[4]
Enterprise T1129 共享模块

Dtrack contains a function that calls LoadLibrary and GetProcAddress.[4]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Dtrack can add a service called WBService to establish persistence.[4]
Enterprise T1574 劫持执行流

One of Dtrack can replace the normal flow of a program execution with malicious code.[4]
Enterprise T1140 反混淆/解码文件或信息

Dtrack has used a decryption routine that is part of an executable physical patch.[2]
Enterprise T1547 启动或登录自动启动执行

Dtrack’s RAT makes a persistent target file with auto execution on the host start.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Dtrack has used cmd.exe to add a persistent service.[4]
Enterprise T1560 归档收集数据

Dtrack packs collected data into a password protected archive.[2]
Enterprise T1074 .001 数据分段: Local Data Staging

Dtrack can save collected data to disk, different file formats, and network shares.[2][4]
Enterprise T1083 文件和目录发现

Dtrack can list files on available disk volumes.[2][4]
Enterprise T1078 有效账户

Dtrack used hard-coded credentials to gain access to a network share.[4]
Enterprise T1012 查询注册表

Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.[4]
Enterprise T1217 浏览器信息发现

Dtrack can retrieve browser history.[2][4]
Enterprise T1027 .009 混淆文件或信息: Embedded Payloads

Dtrack has used a dropper that embeds an encrypted payload as extra data.[2]
Enterprise T1070 .004 移除指标: File Deletion

Dtrack can remove its persistence and delete itself.[2]
Enterprise T1082 系统信息发现

Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.[2][4]
Enterprise T1049 系统网络连接发现

Dtrack can collect network and active connection information.[2]
Enterprise T1016 系统网络配置发现

Dtrack can collect the host's IP addresses using the ipconfig command.[2][4]
Enterprise T1105 输入工具传输

Dtrack’s can download and upload a file to the victim’s computer.[2][4]
Enterprise T1056 .001 输入捕获: Keylogging

Dtrack’s dropper contains a keylogging executable.[2]
Enterprise T1057 进程发现

Dtrack’s dropper can list all running processes.[2][4]
Enterprise T1055 .012 进程注入: Process Hollowing

Dtrack has used process hollowing shellcode to target a predefined list of processes from %SYSTEM32%.[2]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
  2. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  3. Dragos. (n.d.). WASSONITE. Retrieved January 20, 2021.
  1. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  2. Catalin Cimpanu. (2019, October 30). Confirmed: North Korean malware found on Indian nuclear plant's network. Retrieved January 20, 2021.