Cyberbit has released a report on a Remote Administration Tool (RAT) called Dtrack that was used in an attack on the Indian nuclear power plant (Kudankulam Nuclear Power Plant or KNPP for short) in what appears to be an APT attack. The North Korean threat group Lazarus (tracked internally as ITG03 by IBM), also widely known as HIDDEN COBRA, is believed to have authored Dtrack. Internal credentials for KNPP’s network were hard-coded into the version of Dtrack examined implying it was the second phase of a targeted attack. Along with the Dtrack variant, three droppers were also found in the network that share techniques similar to those used by the banking trojans, BackSwap and Ursnif. BackSwap inserts itself into legitimate applications, such as OllyDbg, 7-Zip and FileZilla. This has an advantage in that the icon and program details appear to be legitimate. The Ursnif variant found was compiled without the NX-bit set. This allows the malware to execute code directly from its heap or stack.
Exposure of sensitive information