Notorious APT actor Lazarus is expanding its attacks and is now targeting companies in Europe, including Germany and Switzerland. The Kaspersky experts were able to identify attacks with the backdoor DTrack on two German chemical processing and manufacturing companies and one on a Swiss chemical processing company.
Lazarus has been active since at least 2009 and has been blamed for cyber espionage, cyber sabotage and ransomware attacks. Initially, the group focused on implementing what appeared to be a geopolitical agenda centered primarily on South Korea. However, it has moved to global targets and has also begun launching attacks for financial gain.
The attacks are currently also aimed at companies in Europe. The Kaspersky experts were able to identify two attacks in Germany in which DTrack was used as a backdoor: one on a company in chemical processing and one in manufacturing. Furthermore, an attack on a Swiss company in chemical processing could be identified.
Modified backdoor DTrack
The backdoor DTrack was originally discovered in 2019 [3] and has not changed significantly over time. DTrack hides in an executable file that looks like a legitimate program. There are several stages of decryption before the malware payload starts. What is new is an additional third layer of encryption that has been added in some of the new malware samples.
Kaspersky analysis shows that Lazarus uses the backdoor for a variety of attacks aimed at financial gain. It allows cyber criminals to upload, download, launch or delete files on victim's host. One of the files downloaded and executed, which has already been spotted as part of DTrack's usual toolset, is a keylogger as well as a screenshot maker and a module for collecting victim's system information. Overall, such a toolset can help cybercriminals to perform lateral movements in victims' infrastructure, for example to retrieve information.
Targeting KRITIS, schools, research
According to KSN telemetry, DTrack is active in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the US. Lazarus thus expands the circle of his victims. Targeted companies include parts of critical infrastructure such as educational institutions, chemical processing companies, government research centers and government departments, IT service providers, utilities and telecommunications.
"DTrack is still actively used by Lazarus," explains Jornt van der Wiel, security researcher in Kaspersky's Global Research and Analysis Team (GReAT). “Changes made to the way the malware is packaged show that Lazarus still places a high value on DTrack. Still, Lazarus hasn't changed much about it since 2019, when it was originally discovered. However, analysis of victimology shows that operations have been expanded to Europe, a trend we are seeing more frequently.”
More at Kasperky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/