Hackers associated with the North Korean government have developed a new type of malware that has been used to record and steal data inserted into cards from Indian ATMs.
Kaspersky Lab researchers said in a report released yesterday that banking malware, known as ATMDTrack, has been active in the country since late summer.
The network security company in Moscow conducted further analysis of the malware samples and found them to be part of a larger remote access Trojan (RAT) called DTrack.
Experts say this is a spy tool that attacks Indian financial institutions and research centers, saying the malware strain “has similarities to DarkSeoul’s activities, dating back to 2013, due to the Lazarus Group.”
The researchers said that the DTrack RAT was first discovered only this month.
The DarkSeoul attack is aimed at Korea’s high-profile facilities, including the removal of several computer hard drives associated with banks and television broadcasters and several financial companies in 2013.
The event was ultimately considered to be the work of the Lazarus Group, the leading cryptocurrency hacker group known for its relationship with the North Korean government.
The organization was notorious last week for its notorious attacks on critical infrastructure and the siphoning of companies that funded the country’s weapons and missile programs, and was among the top US sanctions lists.
Collect key logs and browser history The threat actor behind DTrack confuses its malicious code in a harmless executable that is protected behind the encryption barrier of the dropper used to install the malware.
In addition to disguising yourself as a harmless process, the malware can perform many operations:
- Keylogger
- Retrieve browser history
- Collect host IP addresses, information about available networks and active connections
- List all running processes
- List all files on all available disk volumes
The collected data is then archived as a password-protected file that can be saved to disk or sent to the command and control server.
Researchers have classified ATMDTrack as a subset of the DTrack family, saying that the developers behind the two malwares are “the same group.”
Given the complexity of the method of operation, it is recommended that the target organization strengthen its network and password policies and monitor network traffic for suspicious behavior.
Kaspersky concluded: “The large number of DTrack samples we can find indicates that the Lazarus group is one of the most active APT groups for malware development.” “And again, we saw the team use Similar tools for economically motivated attacks and pure spy attacks
