Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Dtrack
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Dtrack
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Dtrack

Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. (Citation: Kaspersky Dtrack)(Citation: Securelist Dtrack)(Citation: Dragos WASSONITE)(Citation: CyberBit Dtrack)(Citation: ZDNet Dtrack)
ID: S0567
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 25 Jan 2021
Last Modified: 18 Oct 2022

Techniques Used
Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Dtrack has used cmd.exe to add a persistent service.(Citation: CyberBit Dtrack)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Dtrack can add a service called WBService to establish persistence.(Citation: CyberBit Dtrack)
Enterprise T1074 .001 Data Staged: Local Data Staging

Dtrack can save collected data to disk, different file formats, and network shares.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)
Enterprise T1070 .004 Indicator Removal: File Deletion

Dtrack can remove its persistence and delete itself.(Citation: Securelist Dtrack)
Enterprise T1056 .001 Input Capture: Keylogging

Dtrack’s dropper contains a keylogging executable.(Citation: Securelist Dtrack)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.(Citation: CyberBit Dtrack)
Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

Dtrack has used a dropper that embeds an encrypted payload as extra data.(Citation: Securelist Dtrack)
Enterprise T1055 .012 Process Injection: Process Hollowing

Dtrack has used process hollowing shellcode to target a predefined list of processes from %SYSTEM32%.(Citation: Securelist Dtrack)

Groups That Use This Software
ID Name References
G0032 Lazarus Group

(Citation: Kaspersky Dtrack)

References

  1. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  2. Catalin Cimpanu. (2019, October 30). Confirmed: North Korean malware found on Indian nuclear plant's network. Retrieved January 20, 2021.
  3. Dragos. (n.d.). WASSONITE. Retrieved January 20, 2021.
  4. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  5. Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.