Dtrack

Malware updated 23 days ago (2024-11-29T13:56:42.004Z)
Download STIX
Preview STIX
DTrack is a malicious software (malware) known for its data theft capabilities. It was first associated with North Korean threat groups and has been used in numerous cyber attacks globally. The malware infiltrates systems through suspicious downloads, emails, or websites, and once inside, it collects sensitive information, disguises it as a GIF file, and exfiltrates the data. It has also been linked to other well-known malware such as Zbot and Qbot, which are notorious for hunting banking credentials. Despite its potency, some advanced endpoint detection and response (EDR) solutions have successfully blocked DTrack execution. In mid-2022, Andariel, a faction of the Lazarus group, deployed DTrack alongside Maui ransomware in a series of targeted attacks. The group also utilized another malware family called EarlyRat, exploiting vulnerabilities like the Log4j flaw for initial access. The compromised account that attackers used for initial access and subsequent spreading of various toolsets, including DTrack, was the same one used prior to ransomware deployment. In several instances, Stonefly's custom malware Backdoor.Preft (also known as Dtrack, Valefor) was found to be deployed. Additionally, DTrack was seen being spread laterally across networks by Jumpy Pisces, using the Server Message Block (SMB) protocol. This group maintained persistence in compromised systems by deploying the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via SMB. The attackers copied files associated with the Sliver and DTrack malware family to various hosts using the compromised account, demonstrating the malware's ability to infiltrate and persist within networks.
Description last updated: 2024-10-30T16:02:20.595Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Stonefly is a possible alias for Dtrack. Stonefly, also known as Andariel, Silent Chollima, Onyx Sleet, and APT45, is a threat actor group that has been active since at least 2015 and is believed to be linked to the North Korean government. The group has been involved in various attacks, including ransomware campaigns against Healthcare an
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Ransomware
Exploit
Lateral Move...
Trojan
Apt
Log4j
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with Dtrack. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitatiUnspecified
3
The Andariel Threat Actor is associated with Dtrack. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In somUnspecified
3
Source Document References
Information about the Dtrack Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
2 months ago
DARKReading
2 months ago
Unit42
2 months ago
DARKReading
3 months ago
InfoSecurity-magazine
4 months ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago