In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples which had code sequence similarities with the ATMDtrack – but at the same time clearly were not aimed at ATMs. Instead their list of functions defined them as spy tools – now known as Dtrack. Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.
The Dtrack samples were detected from as many as 18 states in India, where 24% were found in Maharashtra, followed by Karnataka (18.5%) and Telangana (12%). The other main infected states include West Bengal, Uttar Pradesh, Tamil Nadu, Delhi, Kerala.
Dtrack can be used as a remote admin tool (RAT), giving threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes.
The event saw Mr. Konstantin Zykov, Security Researcher at Kaspersky's Global Research and Analysis Team, Kaspersky explaining about Dtrack, "The large amount of Dtrack samples we found demonstrate that Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries and seeking to evade detection. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets."
Saurabh Sharma, Senior Security Researcher (GReAT), Kaspersky (APAC), said, "Although we have seen the number of local threats in India have decreased in the last quarter comparatively to last year, India is still consistently ranked as Top 10 countries in Kaspersky's Cybermap Real Time Threat. This shows that India still needs to continue increasing its cyber security efforts, and the advanced persistent threat attack highlights the importance of investing in threat landscape intelligence."
The newly discovered malware is active and based on Kaspersky telemetry, and is still used in cyberattacks. For further information visit Securelist.com
To avoid being affected by malware, such as Dtrack RAT, Kaspersky recommends: