Week 46 | 14th – 18th November 2022

Key Issue: Lazarus Group targets multiple countries with DTrack malware
Cybercriminals: Cybercriminals continue to capitalise on seasonal events
Nation-State: China-backed actors sustain surveillance and espionage efforts

KEY ISSUE:

This week we reported on the North Korean nation-state unit Lazarus group targeting victims across multiple regions including Europe, Asia, and South America with the DTrack backdoor. The tool was first discovered in 2019 and includes features that enable keylogging, screen capture, and the collection of system information. In this latest campaign DTrack has been leveraged to compromise systems in numerous industries including manufacturing, education, governmental research, IT service providers, and policy institutes, and in attempts to achieve some financial gain. The Lazarus group gains initial access to targeted networks by leveraging stolen credentials or exploiting public-facing infrastructure, enabling the DTrack backdoor to unpack malware in several stages.

The payload is retrieved from a file masquerading as a legitimate NVIDIA executable which is then decrypted to reveal a Dynamic Link Library (DLL). This DLL is then loaded using the technique of process hollowing into the Windows file explorer feature explorer.exe and then executed. As of 18 November 2022, we have reported on 15 separate incidents relating to the Lazarus group this year, highlighting that this campaign is the latest in a spate of operations conducted by the threat actor. We access that this pace of activity is likely to continue as the economically isolated Pyongyang is highly reliant on revenue generated from cyber enabled operations to fund its aggressive posture and remain relevant on the international stage.