This article was published on September 24, 2019

North Korean hackers are targeting ATMs in India with new data-stealing malware

North Korean hackers are targeting ATMs in India with new data-stealing malware
Ravie Lakshmanan
Story by

Ravie Lakshmanan

Hackers with ties to North Korean government have developed a new strain of malware that has been used to record and steal data from cards inserted into ATM machines in India.

The banking malware — dubbed ATMDTrack — has been active in the country since late last summer, said Kaspersky Lab researchers in a report published yesterday.

Further analysis of the malware by the Moscow-based cybersecurity firm found the samples to be part of a bigger remote access trojan (RAT) called DTrack.

Calling it a spy tool to attack financial institutions and research centers in India, the experts said the malware strains shared “similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus group.”

The DTrack RAT was detected as recently as this month, the researchers noted.

The DarkSeoul attacks targeted high-profile facilities in South Korea, including wiping several computer hard drives associated with banks and television broadcasters, as well as a number of financial companies in 2013.

The campaign was eventually deemed the handiwork of Lazarus Group, the main cryptocurrency-hacker syndicate known for its ties to the North Korean government.

The group also earned a place in the US government’s sanctions list last week for its notorious attacks on critical infrastructure and siphon money from businesses to fund the country’s weapons and missile programs.

Collecting key logs and browser histories

The threat actors behind DTrack obfuscated their malicious code in an innocuous executable file that was protected behind encryption barriers in a dropper used to install the malware.

Aside from disguising itself as a harmless process, the malware can perform a number of operations such as:

  • Keylogging
  • Retrieving browser history
  • Gathering host IP addresses, information about available networks and active connections
  • Listing all running processes
  • Listing all files on all available disk volumes

The collected data was then archived as a password-protected file that’s either saved to the disk or sent to a command-and-control server.

Classifying ATMDTrack as a subset of the DTrack family, the researchers said the developers behind the two malware strains are the “same group of people.”

Given the sophistication of the modus operandi, it’s recommended that target organizations beef up their network and password policies and monitor network traffic for any suspicious behavior.

“The vast amount of DTrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development,” Kaspersky concluded. “And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with

Back to top