SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dtrack (Back to overview)

Dtrack

Actor(s): Lazarus Group


Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group.
Its core functionality includes operations to upload a file to the victim's computer, download a file from the victim's computer, dump disk volume data, persistence and more.

A variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.

References
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-11-21CyberbitHod Gavriel
@online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2020-01-13} } Dtrack: In-depth analysis of APT on a nuclear power plant
Dtrack
2019-11-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20191104:is:79a8669, author = {Marco Ramilli}, title = {{Is Lazarus/APT38 Targeting Critical Infrastructures?}}, date = {2019-11-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/}, language = {English}, urldate = {2020-01-07} } Is Lazarus/APT38 Targeting Critical Infrastructures?
Dtrack
2019-11-03Github (jeFF0Falltrades)Jeff Archer
@online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } DTrack
Dtrack
2019-09-23Kaspersky LabsKonstantin Zykov
@online{zykov:20190923:hello:a1e9360, author = {Konstantin Zykov}, title = {{Hello! My name is Dtrack}}, date = {2019-09-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/my-name-is-dtrack/93338/}, language = {English}, urldate = {2020-01-13} } Hello! My name is Dtrack
Dtrack
Yara Rules
[TLP:WHITE] win_dtrack_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_dtrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 }
            // n = 7, score = 400
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx

        $sequence_1 = { 898550eaffff 81bd50eaffff0c030000 7605 e9???????? 6803010000 }
            // n = 5, score = 300
            //   898550eaffff         | mov                 dword ptr [ebp - 0x15b0], eax
            //   81bd50eaffff0c030000     | cmp    dword ptr [ebp - 0x15b0], 0x30c
            //   7605                 | jbe                 7
            //   e9????????           |                     
            //   6803010000           | push                0x103

        $sequence_2 = { ebb8 c745fc00000000 eb09 8b55fc 83c201 }
            // n = 5, score = 300
            //   ebb8                 | jmp                 0xffffffba
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   eb09                 | jmp                 0xb
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1

        $sequence_3 = { 8b955cf5ffff 8bca c1e902 f3a5 }
            // n = 4, score = 300
            //   8b955cf5ffff         | mov                 edx, dword ptr [ebp - 0xaa4]
            //   8bca                 | mov                 ecx, edx
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_4 = { 66a1???????? 668907 0fb64d0c 51 8d9588f6ffff 52 e8???????? }
            // n = 7, score = 300
            //   66a1????????         |                     
            //   668907               | mov                 word ptr [edi], ax
            //   0fb64d0c             | movzx               ecx, byte ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8d9588f6ffff         | lea                 edx, [ebp - 0x978]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_5 = { 51 e8???????? 83c410 8b558c }
            // n = 4, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b558c               | mov                 edx, dword ptr [ebp - 0x74]

        $sequence_6 = { 888536eaffff 8b8d3ceaffff 3a4101 7523 }
            // n = 4, score = 300
            //   888536eaffff         | mov                 byte ptr [ebp - 0x15ca], al
            //   8b8d3ceaffff         | mov                 ecx, dword ptr [ebp - 0x15c4]
            //   3a4101               | cmp                 al, byte ptr [ecx + 1]
            //   7523                 | jne                 0x25

        $sequence_7 = { 3a0a 7546 80bd23eaffff00 7431 8b8524eaffff 8a4801 }
            // n = 6, score = 300
            //   3a0a                 | cmp                 cl, byte ptr [edx]
            //   7546                 | jne                 0x48
            //   80bd23eaffff00       | cmp                 byte ptr [ebp - 0x15dd], 0
            //   7431                 | je                  0x33
            //   8b8524eaffff         | mov                 eax, dword ptr [ebp - 0x15dc]
            //   8a4801               | mov                 cl, byte ptr [eax + 1]

        $sequence_8 = { 8b4d10 51 6a00 8b55f4 52 e8???????? }
            // n = 6, score = 200
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_9 = { 894dfc 8b550c 8b4204 8945f8 68efcdab89 }
            // n = 5, score = 200
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   68efcdab89           | push                0x89abcdef

        $sequence_10 = { 8b4df0 3b4d10 0f8d90000000 8b5508 0355f0 0fb602 }
            // n = 6, score = 200
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]
            //   0f8d90000000         | jge                 0x96
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   0fb602               | movzx               eax, byte ptr [edx]

        $sequence_11 = { 7406 837d1408 7304 33c0 }
            // n = 4, score = 200
            //   7406                 | je                  8
            //   837d1408             | cmp                 dword ptr [ebp + 0x14], 8
            //   7304                 | jae                 6
            //   33c0                 | xor                 eax, eax

        $sequence_12 = { 8bec 83ec10 8a4514 8845f7 8b4d14 }
            // n = 5, score = 200
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   8a4514               | mov                 al, byte ptr [ebp + 0x14]
            //   8845f7               | mov                 byte ptr [ebp - 9], al
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]

        $sequence_13 = { 3355fc 81e2ff000000 c1e217 0bca 894d14 8b45f8 }
            // n = 6, score = 200
            //   3355fc               | xor                 edx, dword ptr [ebp - 4]
            //   81e2ff000000         | and                 edx, 0xff
            //   c1e217               | shl                 edx, 0x17
            //   0bca                 | or                  ecx, edx
            //   894d14               | mov                 dword ptr [ebp + 0x14], ecx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

    condition:
        7 of them and filesize < 1736704
}
[TLP:WHITE] win_dtrack_w0   (20191121 | No description)
rule win_dtrack_w0 {
    meta:
        author = "jeFF0Falltrades"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack"
        malpedia_version = "20191121"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $str_log = "------------------------------ Log File Create...." wide ascii
        $str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" wide ascii
        $str_chrome = "Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\History" wide ascii
        $pdb = "Users\\user\\Documents\\Visual Studio 2008\\Projects\\MyStub\\Release\\MyStub.pdb" wide ascii
        $str_tmp = "%s\\~%d.tmp" wide ascii
        $str_exc = "Execute_%s.log" wide ascii
        $reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/
        $reg_move = /move \/y %s \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$\\Windows\\Temp\\MpLogs\\/

    condition:
        2 of them or $pdb
}
Download all Yara Rules