Dtrack RAT

Dtrack RAT Description

The Lazarus group is a very active and famous name in cybercrime at the moment. They were the hackers behind the infamous WannaCry Ransomware attacks, the hack against Sony Entertainment, and many other attacks against high-profile targets. One of the recent tools believed to originate from the computers of the Lazarus Advanced Persistent Threat group is Dtrack RAT, a Remote Access Trojan that allows its operators to take almost complete control over infected computers. It is believed that the Dtrack RAT is related to ATMDtrack, a piece of ATM malware that was found on the computers of Indian banks in 2018. Both tools are developed and used by the Lazarus APT group, and it is likely that the ATMDtrack is a stripped-down version of the Dtrack RAT.

The Dtrack RAT's Code can Reside in the Memory of a System Process

The hackers from Lazarus stay true to their style and use state-of-the-art malware deployment techniques to cover their trackers and bypass security measures. The Dtrack RAT is often used in combination with an unidentified Trojan dropper that has the ability to inject malicious code in the memory of running system processes, therefore tricking anti-virus engines into thinking that the malicious code is an important Windows process. Of course, using trustworthy and regularly updated antivirus products will not fall for this trick, and they can keep your computer protected.

The DTrack RAT can be Used to Plant Other Malware or Collect Files

When the Dtrack RAT is initialized, it will connect to the pre-configured address used for a Command & Control server immediately. The RAT checks for new commands at a specific time interval, and executes all pending tasks immediately. The attacker can configure the time interval between command checks, and they also can:

  • Upload or download files to the compromised computer and launch them.
  • Grant startup persistence to files they choose.
  • Copy the contents of a folder, partition, or hard drive to their control server.
  • Update the Dtrack RAT or remove it.

The number of victims affected by the Dtrack RAT is still very low, and cybersecurity experts have not been able to identify a precise security hole that the Lazarus hackers might have used to deliver the threatening program. It is likely that they attempt to exploit vulnerable services and software, unpatched operating systems, or poorly secured networks.