It asks to open a link to revise an agreement. It lands to a website that simulates the victim’s organization homepage, in which the user has only to digit the password.
Lazarus hit Europe and Latin America with a new DTrack version. Kaspersky cybersecurity experts: North Korea-linked malware hides itself inside an executable that looks like a legitimate program and has several stages of decryption before starting
DTrack has a new version used by North Korean’s Lazarus group to hit European and Latin American organizations. Kaspersky cybersecurity experts discovered it. The targeted sectors include education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers and telecommunications. The malware now hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the payload starts. Furthermore, the Threat Actors use API hashing to load the proper libraries and functions. In previous samples the libraries to be loaded were obfuscated strings. Finally, in the latest DTrack versions there are three C2 servers used, instead of six. The rest of the payload’s functionality remains the same.