Hackers with ties to North Korean government have developed a new strain of malware dubbed ATMDtrack, that has been used to record and steal data from cards inserted into ATM machines in India, that was developed and used by North Korea-linked hackers.
Threat actors deployed the malware on ATM systems to steal payment card details of the back customers.
ATMDtrack has been spotted on the networks of Indian banks since late summer 2018, a more sophisticated version tracked as Dtrack, was involved in attacks aimed at Indian research centers.
Calling it a spy tool to attack financial institutions and research centers in India, the experts said the malware strains shared “similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus group.” The DTrack RAT was detected as recently as this month, the researchers noted.
“In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines.” reads the analysis published by Kaspersky.
According to Kaspersky, the most recent attacks involving the malware were observed at the beginning of September 2019.
DTrack, was developed to spy on the victims and exfiltrate data of interest, it supports features normally implemented in remote access trojan (RAT).
“At this point, the design philosophy of the framework becomes a bit unclear. Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly.”says Kaspersky.
“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc.”
Once decrypted the final payload, Kaspersky researchers noticed similarities with the Dark Seoul campaign uncovered in 2013 and attributed to the Lazarus APT group. The attackers reused part of their old code in the recent attacks on the financial sector and research centers in India.
“The most obvious function they have in common is the string manipulation function. It checks if there is a CCS_ substring at the beginning of the parameter string, cuts it out and returns a modified one. Otherwise, it uses the first byte as an XOR argument and returns a decrypted string.” states the analysis.
The discovery of the ATMDTrack malware confirms the intense activity of the Lazarus APT group.
The state-sponsored group continues to develop malware that was used in both financially-motivated attacks and cyber espionage operations.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
