Dtrack RAT: The Malware Targeting Indian Financial Institutions

Researchers discovered the Dtrack spy tool when they were analyzing the ATMDtrack malware that was targeting Indian banks.

The initially discovered Dtrack samples were observed to be dropped ones, because the real payloads were encrypted with various droppers. On decrypting the final payload, several similarities with the DarkSeoul campaign emerged. Researchers believe that a part of the old code was reused in the attacks against Indian financial sectors. Early September 2019 witnessed the last detected activity of the Dtrack RAT.

The dropper has an encrypted payload embedded as an overlay of a PE file. The overlay data, when decrypted, contains an extra executable, process hollowing shellcode, and a list of predefined executable names.

  • Its decryption routine has been observed to start between the start() and WinMain() functions.
  • The malicious code is embedded into a binary that is a harmless executable such as the Visual Studio MFC project.
  • Once the data is decrypted, the process hollowing code starts. It takes the name of the process to be hollowed as an argument.

The droppers were found to be containing several executables for spying purposes.

  • A few payload executables were found to be capable of keylogging, listing running processes, listing files on all disk volumes, harvesting details about available networks and active connections, stealing host IP addresses, and keylogging.
  • Some executables box the collected data into an archive that is password-protected and save it to the disk. Other executables send the data to their command-and-control server directly.

“Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading/downloading, executing files, etc,” said the researchers.

Dtrack vs ATMDtrack

Although the ATMDtrack is a part of the Dtrack family, they both look different. The ATMDtrack samples are not encrypted, while the Dtrack comes with an encrypted payload within the dropper.

However, once the Dtrack payload is decrypted, similar style and implemented functions suggest that the same developer is behind both pieces of malware. A striking example of this is the string manipulation function that checks for a CCS_ substring at the start of a parameter string and removes it to return a modified string. If the CCS_ substring is not present, the first byte is used as an XOR argument to return the decrypted string.

Researchers also identified unique sequences that were common in the ATMDtrack and Dtrack memory dumps.