SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dtrack (Back to overview)

Dtrack

aka: Preft, TroyRAT

Actor(s): Lazarus Group, Silent Chollima

VTCollection    

Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group.
Its core functionality includes operations to upload a file to the victim's computer, download a file from the victim's computer, dump disk volume data, persistence and more.

A variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.

References
2023-02-09CISA, DSA, FBI, HHS, NSA, ROK
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Dtrack MagicRAT Maui Ransomware SiennaBlue SiennaPurple Tiger RAT YamaBot
2023-02-02WithSecureSami Ruohonen, Stephen Robinson
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
Dtrack GREASE QuiteRAT
2022-11-15Kaspersky LabsJornt van der Wiel, Konstantin Zykov
DTrack activity targeting Europe and Latin America
Dtrack
2022-08-09KasperskyKurt Baumgartner, Seongsu Park
Andariel deploys DTrack and Maui ransomware
Dtrack Maui Ransomware
2022-04-27SymantecThreat Hunter Team
Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
Dtrack VSingle
2020-11-27MacnicaHiroshi Takeuchi
Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-05-31Twitter (ShadowChasing1)Shadow Chaser Group
Tweet on DTRACK malware
Dtrack
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-19LexfoLexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-11-21CyberbitHod Gavriel
Dtrack: In-depth analysis of APT on a nuclear power plant
Dtrack
2019-11-04Marco Ramilli's BlogMarco Ramilli
Is Lazarus/APT38 Targeting Critical Infrastructures?
Dtrack
2019-11-03Github (jeFF0Falltrades)Jeff Archer
DTrack
Dtrack
2019-09-23Kaspersky LabsKonstantin Zykov
Hello! My name is Dtrack
Dtrack
Yara Rules
[TLP:WHITE] win_dtrack_auto (20230808 | Detects win.dtrack.)
rule win_dtrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dtrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 }
            // n = 7, score = 400
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx

        $sequence_1 = { ff15???????? 8d85dcfdffff 50 6a01 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   8d85dcfdffff         | lea                 eax, [ebp - 0x224]
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_2 = { 8955f0 8b45f0 0fb68899010000 51 8b55f0 }
            // n = 5, score = 300
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   0fb68899010000       | movzx               ecx, byte ptr [eax + 0x199]
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]

        $sequence_3 = { 8d85ecfeffff 50 8d8dc8fdffff 51 8d95ccfdffff }
            // n = 5, score = 300
            //   8d85ecfeffff         | lea                 eax, [ebp - 0x114]
            //   50                   | push                eax
            //   8d8dc8fdffff         | lea                 ecx, [ebp - 0x238]
            //   51                   | push                ecx
            //   8d95ccfdffff         | lea                 edx, [ebp - 0x234]

        $sequence_4 = { 0345f4 8810 ebac e9???????? 8be5 }
            // n = 5, score = 300
            //   0345f4               | add                 eax, dword ptr [ebp - 0xc]
            //   8810                 | mov                 byte ptr [eax], dl
            //   ebac                 | jmp                 0xffffffae
            //   e9????????           |                     
            //   8be5                 | mov                 esp, ebp

        $sequence_5 = { 52 8d8590f5ffff 50 ff15???????? c685a0f8ffff00 6803010000 6a00 }
            // n = 7, score = 300
            //   52                   | push                edx
            //   8d8590f5ffff         | lea                 eax, [ebp - 0xa70]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   c685a0f8ffff00       | mov                 byte ptr [ebp - 0x760], 0
            //   6803010000           | push                0x103
            //   6a00                 | push                0

        $sequence_6 = { c685b8fbffff00 6803010000 6a00 8d8db9fbffff 51 e8???????? }
            // n = 6, score = 300
            //   c685b8fbffff00       | mov                 byte ptr [ebp - 0x448], 0
            //   6803010000           | push                0x103
            //   6a00                 | push                0
            //   8d8db9fbffff         | lea                 ecx, [ebp - 0x447]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { 51 e8???????? 83c410 8b558c 52 }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b558c               | mov                 edx, dword ptr [ebp - 0x74]
            //   52                   | push                edx

        $sequence_8 = { 8b8520f5ffff 8a4801 888d1ff5ffff 838520f5ffff01 }
            // n = 4, score = 300
            //   8b8520f5ffff         | mov                 eax, dword ptr [ebp - 0xae0]
            //   8a4801               | mov                 cl, byte ptr [eax + 1]
            //   888d1ff5ffff         | mov                 byte ptr [ebp - 0xae1], cl
            //   838520f5ffff01       | add                 dword ptr [ebp - 0xae0], 1

        $sequence_9 = { d1e9 894df8 8b5518 8955fc c745f000000000 eb09 }
            // n = 6, score = 200
            //   d1e9                 | shr                 ecx, 1
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   eb09                 | jmp                 0xb

        $sequence_10 = { 8b45fc c1e808 8b4dfc c1e910 }
            // n = 4, score = 200
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c1e808               | shr                 eax, 8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c1e910               | shr                 ecx, 0x10

        $sequence_11 = { c1e810 23c8 33d1 8855f7 8b4df8 c1e908 8b55fc }
            // n = 7, score = 200
            //   c1e810               | shr                 eax, 0x10
            //   23c8                 | and                 ecx, eax
            //   33d1                 | xor                 edx, ecx
            //   8855f7               | mov                 byte ptr [ebp - 9], dl
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c1e908               | shr                 ecx, 8
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_12 = { 894d14 8b45f8 c1e018 8b4dfc }
            // n = 4, score = 200
            //   894d14               | mov                 dword ptr [ebp + 0x14], ecx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   c1e018               | shl                 eax, 0x18
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_13 = { 6867452301 8b4d10 51 8b55f4 52 }
            // n = 5, score = 200
            //   6867452301           | push                0x1234567
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   52                   | push                edx

        $sequence_14 = { eb64 8b4d10 51 6a00 8b55f4 52 e8???????? }
            // n = 7, score = 200
            //   eb64                 | jmp                 0x66
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   52                   | push                edx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1736704
}
[TLP:WHITE] win_dtrack_w0   (20191121 | No description)
rule win_dtrack_w0 {
    meta:
        author = "jeFF0Falltrades"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack"
        malpedia_version = "20191121"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $str_log = "------------------------------ Log File Create...." wide ascii
        $str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" wide ascii
        $str_chrome = "Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\History" wide ascii
        $pdb = "Users\\user\\Documents\\Visual Studio 2008\\Projects\\MyStub\\Release\\MyStub.pdb" wide ascii
        $str_tmp = "%s\\~%d.tmp" wide ascii
        $str_exc = "Execute_%s.log" wide ascii
        $reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/
        $reg_move = /move \/y %s \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$\\Windows\\Temp\\MpLogs\\/

    condition:
        2 of them or $pdb
}
Download all Yara Rules