North Korea (Lazarus Group): One of the three North Korean hacking groups which received sanctions just ten days ago for targeting ATM’s and financial institutions has been seen targeting Indian ATM’s with a new malware linked to them. Named ATMDtrack, the malware has been active since late summer of 2018 on ATM’s and a more advanced version called Dtrack was found on the network of Indian Research centers–which is focused on spying and data theft. Collectively, the malware is being tracked as the Dtrack family. There were similarities found with the malware used in Operation DarkSeoul, which was an operation carried out by the Lazarus Group that targeted South Korea. With the link in the malware and the group being made, this finding only justifies the decision by the US Treasuries Department’s decision to freeze all accounts linked to the group and their monetary gain from illegal hacking. The most recent strains of Dtrack were seen in September 2019 and has many functions of a standard RAT. Samples that are being seen currently can log keystrokes, retrieve browser history, gather host IP addresses, gather information about available networks and active connections, list running processes, and list files on all available disk volumes.
Analyst Notes
Researchers are currently unclear what came first, ATMDtrack or Dtrack itself. The current thought process is that ATMDtrack was derived from Dtrack after North Koran hackers managed to infiltrate Indian banking systems in 2018 and wanted a specialized ATM malware to use. As of right now, there is no indication that the malware is being used in any countries other than India.
