Dtrack
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | Archive Collected Data |
Dtrack packs collected data into a password protected archive.[2] |
|
| Enterprise | T1547 | Boot or Logon Autostart Execution |
Dtrack’s RAT makes a persistent target file with auto execution on the host start.[2] |
|
| Enterprise | T1217 | Browser Information Discovery | ||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Dtrack can add a service called WBService to establish persistence.[4] |
| Enterprise | T1005 | Data from Local System |
Dtrack can collect a variety of information from victim machines.[4] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Dtrack can save collected data to disk, different file formats, and network shares.[2][4] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Dtrack has used a decryption routine that is part of an executable physical patch.[2] |
|
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1574 | Hijack Execution Flow |
One of Dtrack can replace the normal flow of a program execution with malicious code.[4] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
| Enterprise | T1105 | Ingress Tool Transfer |
Dtrack’s can download and upload a file to the victim’s computer.[2][4] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[4] |
| Enterprise | T1027 | .009 | Obfuscated Files or Information: Embedded Payloads |
Dtrack has used a dropper that embeds an encrypted payload as extra data.[2] |
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Dtrack has used process hollowing shellcode to target a predefined list of processes from |
| Enterprise | T1012 | Query Registry |
Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.[4] |
|
| Enterprise | T1129 | Shared Modules |
Dtrack contains a function that calls |
|
| Enterprise | T1082 | System Information Discovery |
Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.[2][4] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Dtrack can collect the host's IP addresses using the |
|
| Enterprise | T1049 | System Network Connections Discovery |
Dtrack can collect network and active connection information.[2] |
|
| Enterprise | T1078 | Valid Accounts |
Dtrack used hard-coded credentials to gain access to a network share.[4] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group |
References
- Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021.
- Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
- Dragos. (n.d.). WASSONITE. Retrieved January 20, 2021.