ATM / POS Fraud , Cybercrime , Cyberwarfare / Nation-State Attacks
Kaspersky: Dual-Use Dtrack Malware Linked to ATM TheftsRemote Access Trojan Is Capable of Cyberespionage and Financial Fraud
A newly discovered remote access Trojan called Dtrack has been targeting banks in India for well over a year, Kaspersky researchers say. The malware can steal data from ATMs and doubles as a cyberespionage tool.
See Also: Webinar | How the SASE Architecture Enables Remote Work
The dual-use malware apparently is linked to North Korea's Lazarus Group, the researchers say. That group allegedly has been involved in several high-profile bank thefts, including the $81 million heist from Bangladesh Bank. Earlier this month, the U.S. Treasury Department announced sanctions against three hacking groups, including Lazarus, which have apparent ties to the North Korean regime.
Kaspersky researchers have been tracking Dtrack since August 2018. They most recently spotted the malware in the wild earlier this month.
When the researchers first became aware of this malware, which they originally named ATMDtrack, they found that attackers primarily used the tool to target the ATMs of Indian banks to steal payment card data, according to the report.
"All the stolen data was sent to a command-and-control hardcoded domain name situated in India," Konstantin Zykov, a security researcher with Kaspersky who worked on the report, tells Information Security Media Group.
Later, as the researchers looked at 180 variants of the malware, they discovered features and functionalities that could be used for cyberespionage, this week’s report notes. So researchers renamed the malware family Dtrack and continued to follow its dual uses as an ATM skimmer and cyberespionage tool.
The updated Dtrack tool functions as a remote access Trojan, or RAT, that can used for a variety of purposes.
As spyware, Dtrack is capable of listing all the available files and running processes within an infected device. In addition, the malware has the ability to perform keylogging, copy browser history, gather all host IP addresses and retrieve information about all available networks and active connections within a device.
The Kaspersky researchers say they haven’t yet determined exactly how Dtrack initially infects a device. “Entities targeted by threat actors using Dtrack RAT often have weak network security policies and password standards, while also failing to track traffic across the organization," the Kaspersky report notes.
Once a device is infected, some of the data the malware steals is packaged up, password-protected and saved to the hard drive disk, while other information is sent to a command-and-control server that the attackers control, according to the report.
The Kaspersky researchers say they were able to tie the malware back to the Lazarus Group by studying the malware samples and decrypting the malicious payload.
The researchers found similarities between Dtrack and some of the malicious code used during the so-called DarkSeoul campaign of 2013, when South Korea experienced a major cyberattack that affecting tens of thousands of computer systems in the financial and broadcasting industries. Investigations of that incident have linked it to the Lazarus Group, which is also called DarkSeoul by some security researchers (see: US Government Warns of North Korean Hacking).
In addition to similarities between the code used to develop the malware in both attacks, the Kaspersky researchers found other links as well.
"Additionally, a command-and-control transport protocol custom implementation is the same for both campaigns. Because of these discoveries, we are quite confident that Dtrack is tied to the Lazarus Group," Zykov says.
"The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries," the Kasperky report states. "Their successful execution of the Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets."
(Managing Editor Scott Ferguson contributed to this report.)