Dtrack

Malware updated 13 days ago (2024-11-08T13:24:49.093Z)

Download STIX

Preview STIX

DTrack is a malicious software (malware) known for its data theft capabilities. It was first associated with North Korean threat groups and has been used in numerous cyber attacks globally. The malware infiltrates systems through suspicious downloads, emails, or websites, and once inside, it collects sensitive information, disguises it as a GIF file, and exfiltrates the data. It has also been linked to other well-known malware such as Zbot and Qbot, which are notorious for hunting banking credentials. Despite its potency, some advanced endpoint detection and response (EDR) solutions have successfully blocked DTrack execution. In mid-2022, Andariel, a faction of the Lazarus group, deployed DTrack alongside Maui ransomware in a series of targeted attacks. The group also utilized another malware family called EarlyRat, exploiting vulnerabilities like the Log4j flaw for initial access. The compromised account that attackers used for initial access and subsequent spreading of various toolsets, including DTrack, was the same one used prior to ransomware deployment. In several instances, Stonefly's custom malware Backdoor.Preft (also known as Dtrack, Valefor) was found to be deployed. Additionally, DTrack was seen being spread laterally across networks by Jumpy Pisces, using the Server Message Block (SMB) protocol. This group maintained persistence in compromised systems by deploying the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via SMB. The attackers copied files associated with the Sliver and DTrack malware family to various hosts using the compromised account, demonstrating the malware's ability to infiltrate and persist within networks.

Description last updated: 2024-10-30T16:02:20.595Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Stonefly is a possible alias for Dtrack. Stonefly, also known as Andariel, Silent Chollima, Onyx Sleet, and APT45, is a threat actor group that has been active since at least 2015 and is believed to be linked to the North Korean government. The group has been involved in various attacks, including ransomware campaigns against Healthcare an	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Ransomware

Exploit

Lateral Move...

Trojan

Apt

Log4j

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with Dtrack. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	Unspecified	3
The Andariel Threat Actor is associated with Dtrack. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	Unspecified	3

Source Document References

Information about the Dtrack Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	21 days ago	North Korean Hackers Collaborate with Play Ransomware
DARKReading	21 days ago	North Korea's Andariel Pivots to 'Play' Ransomware
Unit42	22 days ago	Jumpy Pisces Engages in Play Ransomware
DARKReading	2 months ago	North Korea Profits as 'Stonefly' APT Swarms US Co's.
InfoSecurity-magazine	3 months ago	Advanced ValleyRAT Campaign Hits Windows Users in China
CERT-EU	a year ago	Lazarus Group Exploits Log4j Flaw in New Malware Campaign
BankInfoSecurity	a year ago	North Korean Hackers Steal South Korean Anti-Aircraft Data
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware
CERT-EU	a year ago	Andariel’s silly mistakes and a new malware family – Cyber Security Review
CERT-EU	a year ago	New Malware Alert: EarlyRAT Linked to North Korean Hacking Group
CERT-EU	a year ago	Log4j bug exploited to push novel EarlyRat malware
Securityaffairs	a year ago	North Korean Andariel APT used a new malware named EarlyRat
BankInfoSecurity	a year ago	New Malware by Lazarus-Backed Andariel Group Exploits Log4j
CERT-EU	a year ago	Andariel APT Hackers Drop a New Malware On Windows Via Weaponized MS Word Doc
CERT-EU	a year ago	Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign
CERT-EU	a year ago	Andariel’s silly mistakes and a new malware family – GIXtools
CERT-EU	a year ago	Kaspersky crimeware report: Andariel’s mistakes and EasyRat malware
MITRE	2 years ago	Hello! My name is Dtrack