Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. [1][2][3][4][5]

ID: S0567
Platforms: Windows
Version: 1.1
Created: 25 January 2021
Last Modified: 18 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

Dtrack packs collected data into a password protected archive.[2]

Enterprise T1547 Boot or Logon Autostart Execution

Dtrack’s RAT makes a persistent target file with auto execution on the host start.[2]

Enterprise T1217 Browser Information Discovery

Dtrack can retrieve browser history.[2][4]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Dtrack has used cmd.exe to add a persistent service.[4]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Dtrack can add a service called WBService to establish persistence.[4]

Enterprise T1005 Data from Local System

Dtrack can collect a variety of information from victim machines.[4]

Enterprise T1074 .001 Data Staged: Local Data Staging

Dtrack can save collected data to disk, different file formats, and network shares.[2][4]

Enterprise T1140 Deobfuscate/Decode Files or Information

Dtrack has used a decryption routine that is part of an executable physical patch.[2]

Enterprise T1083 File and Directory Discovery

Dtrack can list files on available disk volumes.[2][4]

Enterprise T1574 Hijack Execution Flow

One of Dtrack can replace the normal flow of a program execution with malicious code.[4]

Enterprise T1070 .004 Indicator Removal: File Deletion

Dtrack can remove its persistence and delete itself.[2]

Enterprise T1105 Ingress Tool Transfer

Dtrack’s can download and upload a file to the victim’s computer.[2][4]

Enterprise T1056 .001 Input Capture: Keylogging

Dtrack’s dropper contains a keylogging executable.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[4]

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

Dtrack has used a dropper that embeds an encrypted payload as extra data.[2]

Enterprise T1057 Process Discovery

Dtrack’s dropper can list all running processes.[2][4]

Enterprise T1055 .012 Process Injection: Process Hollowing

Dtrack has used process hollowing shellcode to target a predefined list of processes from %SYSTEM32%.[2]

Enterprise T1012 Query Registry

Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.[4]

Enterprise T1129 Shared Modules

Dtrack contains a function that calls LoadLibrary and GetProcAddress.[4]

Enterprise T1082 System Information Discovery

Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.[2][4]

Enterprise T1016 System Network Configuration Discovery

Dtrack can collect the host's IP addresses using the ipconfig command.[2][4]

Enterprise T1049 System Network Connections Discovery

Dtrack can collect network and active connection information.[2]

Enterprise T1078 Valid Accounts

Dtrack used hard-coded credentials to gain access to a network share.[4]

Groups That Use This Software

ID Name References
G0032 Lazarus Group