Dtrack RAT

The Dtrack RAT is a Remote Access Trojan whose activity was first analyzed when it targeted financial institutions in India. During their research, malware analysts discovered another malware family that is closely related to the Dtrack RAT – the ATMDtrack, a cyber-threat meant to target Automated Teller Machines (ATMs.) Both of these tools are believed to be developed and used by Lazarus, an Advanced Persistent Threat group responsible for high-profile cyberattacks such as the WannaCry Ransomware outbreak.

Recent samples of the Dtrack RAT were delivered via an advanced Trojan dropper that makes use of the 'process hollowing' technique to inject the threatening RAT in the memory of a Windows process that is active at the moment of the action. The dropper chooses a random process from a pre-defined list of common system processes, all of whom are started from the %SYSTEM32% folder. After initialization, the Dtrack RAT gains persistence by applying a change to the Windows Registry.

Lazarus Produces Another High-Quality Remote Access Trojan

After deployment, the Dtrack RAT provides its operators with the ability to control it via commands sent from a remote command server. Some of the operations that the Dtrack RAT supports are:

• Upload and execute files to the compromised host.
• Make a specific file start alongside Windows.
• Download and execute files from a remote URL.
• Collect the contents of an entire hard drive, partitioor specified folder.
• Configure how often the Dtrack RAT checks for new commands.
• Exit the RAT and remove theunsafe component from the target host.

It is not clear what infection vector the Lazarus group uses to deliver the Dtrack RAT payload, but it is likely that it exploit systems with outdated software, poorly configured security measures or weak login credentials. It is recommended to take care of potential security holes, as well as add an extra layer of protection by installing a reputable anti-virus product.