Partner Program Overview
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.Learn More
By Mukul Ahluwalia (Product Marketing Manager, ColorTokens), Ajay Kumar (Senior Security Analyst, ColorTokens) and Deepak Polam Reddy (Quality Engineer, ColorTokens)
A new strain of malware, known as DTrack, was recently detected infecting financial institutions across 18 states of India. Maharashtra bore the brunt of the attack with 24% of the infected systems, followed by Karnataka at 18.5% and Telangana at 12%. Other states include Tamil Nadu, Delhi, Kerala, Uttar Pradesh, and West Bengal.
DTrack is a spy tool that can upload and download files, record keystrokes, and conduct other actions similar to a Remote Administration Tool (RAT) with malicious intent. Researchers have identified code similarities between DTrack and ATMDtrack – a malware used to steal sensitive customer data from ATMs and systems located at Indian financial and research institutes. Security researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack. The code sequence was also similar to the 2013 DarkSeoul campaign, launched by a notorious advanced persistence threat (APT) group.
DTrack contains an executable that spies on the victim machine, and also has a variety of payload executables that can collect:
In the initial stage of the attack, threat actors drop the payload, which is entirely encrypted with an overlay in the portable executable (PE) file, as an extra layer. After decryption of the data, the process hollowing code starts by taking the name of the process to be hollowed as an argument. The name comes from the predefined list found within the decrypted overlay. DTrack then uses the existing system application in the system32 folder, which is generally whitelisted and used maliciously to infect. DTrack malware uses these system32 applications to evade and run malicious code.
DTrack is living off the land malware which uses standard Windows applications to infect and propagate laterally. Most endpoint protection solutions allow these applications to run as they are legitimate processes used by the system admins.
DTrack evades detection by using obfuscation techniques like packing. The initial payload for the DTrack malware is packed, however, once the malware executes it unpacks itself and infects the system. This makes it harder to detect with traditional technology and dated processes due to:
Most endpoint protection solutions deployed today are designed to protect against the known bad and rely on a directory of signatures that needs to be constantly updated. When malware strains like DTrack infect the system, they take advantage of inherent system vulnerabilities and take over the system using ‘trusted’ processes. To prevent APTs, financial and research institutions need to implement solutions that can not only monitor traffic but also detect and prevent suspicious behavior, even though they are initiated by trusted applications or users.
ColorTokens proactive endpoint solution Xprotect prevents attacks on endpoints, servers, and legacy/fixed-function systems with a robust, signature-less approach. The solution features intelligent algorithms for an in-depth analysis of every running process and file present in the system. The system processes are analyzed with the known good, that is, the whitelisted processes, and compared with contextual profiles to prevent suspicious behavior or unauthorized activities. This ability allows the ColorTokens Xprotect to detect and protect against stealthy malware like DTrack and other malware variants.
When the malware is executed, it decrypts itself, picks a windows application from the list which is present in the overlay, and hollows the windows process to run the malicious code. For instance, it could exploit any of the following applications: Napstat.exe, verclsid.exe, fontview.exe, cleanmgr.exe, Sethc.exe, mstsc.exe, Systray.exe, Write.exe, grpconv.exe, charmap.exe, dwwin.exe, Rasautou.exe, presentationhost.exe, mobsync.exe, ctfmon.exe, Control.exe, Extract32.exe.
APTs like DTrack require behavior-based protection. ColorTokens Xprotect analyses system processes with the known good, that is, the whitelisted processes, and compares them with contextual profiles to prevent suspicious or unauthorized activities.
ColorTokens Endpoint protection can:
ColorTokens Xprotect secures endpoints and servers, including legacy and unpatched systems, against known and unknown cyber threats.