By Mukul Ahluwalia (Product Marketing Manager, ColorTokens), Ajay Kumar (Senior Security Analyst, ColorTokens) and Deepak Polam Reddy (Quality Engineer, ColorTokens)
A new strain of malware, known as DTrack, was recently detected infecting financial institutions across 18 states of India. Maharashtra bore the brunt of the attack with 24 percent of the infected systems, followed by Karnataka at 18.5 percent and Telangana at 12 percent. Other states include Tamil Nadu, Delhi, Kerala, Uttar Pradesh, and West Bengal.
DTrack is a spy tool that can upload and download files, record keystrokes, and conduct other actions similar to a Remote Administration Tool (RAT) with malicious intent. Researchers have identified code similarities between DTrack and ATMDtrack – a malware used to steal sensitive customer data from ATMs and systems located at Indian financial and research institutes. Security researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack. The code sequence was also similar to the 2013 DarkSeoul campaign, launched by an infamous advanced persistence threat (APT) group.
DTrack contains an executable that spies on the victim machine, and also has a variety of payload executables that can collect:
- Keylogging information
- Retrieve browser history
- Gather host IP addresses, information about available networks and active connections
- List of all running processes
- List of all files on all available disk volumes
How DTrack Malware Infects the System
In the initial stage of the attack, threat actors drop the payload, which is entirely encrypted with an overlay in the portable executable (PE) file, as an extra layer. After decryption of the data, the process hollowing code starts by taking the name of the process to be hollowed as an argument. The name comes from the predefined list found within the decrypted overlay. DTrack then uses the existing system application in the system32 folder, which is generally whitelisted and used maliciously to infect. DTrack malware uses these system32 applications to evade and run malicious code.
How Can You Contain DTrack Malware?
DTrack is living off the land malware which uses standard Windows applications to infect and propagate laterally. Most endpoint protection solutions allow these applications to run as they are legitimate processes used by the system admins.
DTrack evades detection by using obfuscation techniques like packing. The initial payload for the DTrack malware is packed, however, once the malware executes it unpacks itself and infects the system. This makes it harder to detect with traditional technology and dated processes due to:
- Lack of network traffic monitoring with granularity
- Inability to see and block all command & control communications
- No Process whitelisting
- Lack of regular security audits
- Weak network security policies and password standards
Most endpoint protection solutions deployed today are designed to protect against the known bad and rely on a directory of signatures that needs to be constantly updated. When malware strains like DTrack infect the system, they take advantage of inherent system vulnerabilities and take over the system using ‘trusted’ processes. To prevent APTs, financial and research institutions need to implement solutions that can not only monitor traffic but also detect and prevent suspicious behavior, even though they are initiated by trusted applications or users.
ColorTokens Endpoint Protection Solution
ColorTokens proactive endpoint solution prevents attacks on endpoints, servers, and legacy/fixed-function systems with a robust, signature-less approach. The solution features intelligent algorithms for an in-depth analysis of every running process and file present in the system. The system processes are analyzed with the known good, that is, the whitelisted processes, and compared with contextual profiles to prevent suspicious behavior or unauthorized activities. This ability allows the ColorTokens endpoint solution to detect and protect from stealthy malware like DTrack and other malware variants.
When the malware is executed, it decrypts itself, picks a windows application from the list which is present in the overlay, and hollows the windows process to run the malicious code. For instance, it could exploit any of the following applications: Napstat.exe, verclsid.exe, fontview.exe, cleanmgr.exe, Sethc.exe, mstsc.exe, Systray.exe, Write.exe, grpconv.exe, charmap.exe, dwwin.exe, Rasautou.exe, presentationhost.exe, mobsync.exe, ctfmon.exe, Control.exe, Extract32.exe.
APT’s like DTrack require behavior-based protection. ColorTokens endpoint protection analyses system processes with the known good, that is, the whitelisted processes, and compares it with contextual profiles to prevent suspicious or unauthorized activities.
ColorTokens Endpoint protection can:
- Lockdown ATMs, kiosks, special-purpose terminals, and POS systems
- Provide comprehensive security visibility in hybrid environments even at the process-level
- Protect unpatched and legacy systems
- Audits and compliance reports
- Behavior-based protection using rules
ColorTokens security solutions secure endpoints and servers, including legacy and unpatched systems, against known and unknown cyber threats.