Rewterz Threat Alert – Lazarus DTrack – IOC’s

Severity

High

Analysis Summary

Cyberbit has released a report on a Remote Administration Tool (RAT) called Dtrack that was used in an attack on the Indian nuclear power plant (Kudankulam Nuclear Power Plant or KNPP for short) in what appears to be an APT attack. The North Korean threat group Lazarus (tracked internally as ITG03 by IBM), also widely known as HIDDEN COBRA, is believed to have authored Dtrack. Internal credentials for KNPP’s network were hard-coded into the version of Dtrack examined implying it was the second phase of a targeted attack. Along with the Dtrack variant, three droppers were also found in the network that share techniques similar to those used by the banking trojans, BackSwap and Ursnif. BackSwap inserts itself into legitimate applications, such as OllyDbg, 7-Zip and FileZilla. This has an advantage in that the icon and program details appear to be legitimate. The Ursnif variant found was compiled without the NX-bit set. This allows the malware to execute code directly from its heap or stack.

Impact

Exposure of sensitive information

Indicators of Compromise

SHA-256

• 16fe4de2235850a7d947e4517a667a9bfcca3aee17b5022b02c68cc584aa6548
• 58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb
• 6bb85a033a446976123b9aecf57155e1dd832fa4a7059013897c84833f8fbcf7
• 9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd
• bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
• fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702

Remediation

• lock all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.