SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dtrack (Back to overview)

Dtrack

aka: TroyRAT

Actor(s): Lazarus Group, Silent Chollima


Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group.
Its core functionality includes operations to upload a file to the victim's computer, download a file from the victim's computer, dump disk volume data, persistence and more.

A variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.

References
2022-08-09KasperskyKurt Baumgartner, Seongsu Park
@online{baumgartner:20220809:andariel:89d6b24, author = {Kurt Baumgartner and Seongsu Park}, title = {{Andariel deploys DTrack and Maui ransomware}}, date = {2022-08-09}, organization = {Kaspersky}, url = {https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/}, language = {English}, urldate = {2022-08-11} } Andariel deploys DTrack and Maui ransomware
Dtrack Maui Ransomware
2020-11-27MacnicaHiroshi Takeuchi
@online{takeuchi:20201127:analyzing:4089f84, author = {Hiroshi Takeuchi}, title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}}, date = {2020-11-27}, organization = {Macnica}, url = {https://blog.macnica.net/blog/2020/11/dtrack.html}, language = {Japanese}, urldate = {2020-12-08} } Analyzing Organizational Invasion Ransom Incidents Using Dtrack
Cobalt Strike Dtrack
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-05-31Twitter (ShadowChasing1)Shadow Chaser Group
@online{group:20200531:dtrack:d91f05d, author = {Shadow Chaser Group}, title = {{Tweet on DTRACK malware}}, date = {2020-05-31}, organization = {Twitter (ShadowChasing1)}, url = {https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20}, language = {English}, urldate = {2021-06-09} } Tweet on DTRACK malware
Dtrack
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-11-21CyberbitHod Gavriel
@online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2020-08-21} } Dtrack: In-depth analysis of APT on a nuclear power plant
Dtrack
2019-11-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20191104:is:79a8669, author = {Marco Ramilli}, title = {{Is Lazarus/APT38 Targeting Critical Infrastructures?}}, date = {2019-11-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/}, language = {English}, urldate = {2020-01-07} } Is Lazarus/APT38 Targeting Critical Infrastructures?
Dtrack
2019-11-03Github (jeFF0Falltrades)Jeff Archer
@online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } DTrack
Dtrack
2019-09-23Kaspersky LabsKonstantin Zykov
@online{zykov:20190923:hello:a1e9360, author = {Konstantin Zykov}, title = {{Hello! My name is Dtrack}}, date = {2019-09-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/my-name-is-dtrack/93338/}, language = {English}, urldate = {2020-01-13} } Hello! My name is Dtrack
Dtrack
Yara Rules
[TLP:WHITE] win_dtrack_auto (20220808 | Detects win.dtrack.)
rule win_dtrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.dtrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 }
            // n = 7, score = 400
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx

        $sequence_1 = { 50 e8???????? 83c404 c78530fbffff00000000 eb0f 8b9530fbffff }
            // n = 6, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c78530fbffff00000000     | mov    dword ptr [ebp - 0x4d0], 0
            //   eb0f                 | jmp                 0x11
            //   8b9530fbffff         | mov                 edx, dword ptr [ebp - 0x4d0]

        $sequence_2 = { 52 e8???????? 83c40c 8d85d4faffff 50 }
            // n = 5, score = 300
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85d4faffff         | lea                 eax, [ebp - 0x52c]
            //   50                   | push                eax

        $sequence_3 = { e8???????? 83c404 50 8d95c0fcffff 52 ff15???????? }
            // n = 6, score = 300
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   8d95c0fcffff         | lea                 edx, [ebp - 0x340]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_4 = { 50 e8???????? 83c408 8945fc 8d8de0feffff 51 8d55ec }
            // n = 7, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d8de0feffff         | lea                 ecx, [ebp - 0x120]
            //   51                   | push                ecx
            //   8d55ec               | lea                 edx, [ebp - 0x14]

        $sequence_5 = { 51 e8???????? 83c410 8b558c 52 }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b558c               | mov                 edx, dword ptr [ebp - 0x74]
            //   52                   | push                edx

        $sequence_6 = { 80bdcbfeffff00 75e1 8bbdccfeffff 668b0d???????? 66890f }
            // n = 5, score = 300
            //   80bdcbfeffff00       | cmp                 byte ptr [ebp - 0x135], 0
            //   75e1                 | jne                 0xffffffe3
            //   8bbdccfeffff         | mov                 edi, dword ptr [ebp - 0x134]
            //   668b0d????????       |                     
            //   66890f               | mov                 word ptr [edi], cx

        $sequence_7 = { 888d23eaffff 8b9528eaffff 3a0a 7546 80bd23eaffff00 7431 }
            // n = 6, score = 300
            //   888d23eaffff         | mov                 byte ptr [ebp - 0x15dd], cl
            //   8b9528eaffff         | mov                 edx, dword ptr [ebp - 0x15d8]
            //   3a0a                 | cmp                 cl, byte ptr [edx]
            //   7546                 | jne                 0x48
            //   80bd23eaffff00       | cmp                 byte ptr [ebp - 0x15dd], 0
            //   7431                 | je                  0x33

        $sequence_8 = { 8b95a8faffff 83e210 0f84cc010000 8d85a1faffff 89853ceaffff 8d8dd4faffff }
            // n = 6, score = 300
            //   8b95a8faffff         | mov                 edx, dword ptr [ebp - 0x558]
            //   83e210               | and                 edx, 0x10
            //   0f84cc010000         | je                  0x1d2
            //   8d85a1faffff         | lea                 eax, [ebp - 0x55f]
            //   89853ceaffff         | mov                 dword ptr [ebp - 0x15c4], eax
            //   8d8dd4faffff         | lea                 ecx, [ebp - 0x52c]

        $sequence_9 = { 8b55fc d1ea 3355fc 81e2ff000000 }
            // n = 4, score = 200
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   d1ea                 | shr                 edx, 1
            //   3355fc               | xor                 edx, dword ptr [ebp - 4]
            //   81e2ff000000         | and                 edx, 0xff

        $sequence_10 = { 894518 8b5514 8955f8 8b4518 }
            // n = 4, score = 200
            //   894518               | mov                 dword ptr [ebp + 0x18], eax
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]

        $sequence_11 = { 83c414 8b4d10 51 8b55f4 52 8b4508 }
            // n = 6, score = 200
            //   83c414               | add                 esp, 0x14
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_12 = { 0fb655f7 2355fc 8b45fc c1e808 8b4dfc c1e910 23c1 }
            // n = 7, score = 200
            //   0fb655f7             | movzx               edx, byte ptr [ebp - 9]
            //   2355fc               | and                 edx, dword ptr [ebp - 4]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c1e808               | shr                 eax, 8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c1e910               | shr                 ecx, 0x10
            //   23c1                 | and                 eax, ecx

        $sequence_13 = { 0355f0 0fb602 0fb64df7 33c1 0fb655fc 33c2 }
            // n = 6, score = 200
            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   0fb64df7             | movzx               ecx, byte ptr [ebp - 9]
            //   33c1                 | xor                 eax, ecx
            //   0fb655fc             | movzx               edx, byte ptr [ebp - 4]
            //   33c2                 | xor                 eax, edx

        $sequence_14 = { 234df8 8b45f8 c1e810 23c8 33d1 8855f7 8b4df8 }
            // n = 7, score = 200
            //   234df8               | and                 ecx, dword ptr [ebp - 8]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   c1e810               | shr                 eax, 0x10
            //   23c8                 | and                 ecx, eax
            //   33d1                 | xor                 edx, ecx
            //   8855f7               | mov                 byte ptr [ebp - 9], dl
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

    condition:
        7 of them and filesize < 1736704
}
[TLP:WHITE] win_dtrack_w0   (20191121 | No description)
rule win_dtrack_w0 {
    meta:
        author = "jeFF0Falltrades"
        source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack"
        malpedia_version = "20191121"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $str_log = "------------------------------ Log File Create...." wide ascii
        $str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" wide ascii
        $str_chrome = "Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\History" wide ascii
        $pdb = "Users\\user\\Documents\\Visual Studio 2008\\Projects\\MyStub\\Release\\MyStub.pdb" wide ascii
        $str_tmp = "%s\\~%d.tmp" wide ascii
        $str_exc = "Execute_%s.log" wide ascii
        $reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/
        $reg_move = /move \/y %s \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$\\Windows\\Temp\\MpLogs\\/

    condition:
        2 of them or $pdb
}
Download all Yara Rules