Security researchers of Kaspersky witnessed the suspected North Korean hacker group dubbed “Andariel” using their famous DTrack malware against European Union targets. Previously, in February 2020, Dragos concluded that the DTrack was linked to the North Korean threat group ‘Wassonite‘ and that they targeted nuclear energy and oil and gas facilities.
Who is the Andariel Threat Group?
Andariel is a cyber threat group that is believed to be operating out of North Korea. The group has been active since at least 2015 and is known for targeting organizations in South Korea, as well as other countries in the region. The group is known for using a variety of tactics, including phishing campaigns and malware infections, to gain access to target systems and steal sensitive data.
Andariel is believed to be sponsored by the North Korean government and has been linked to a number of high-profile cyber attacks, including the 2017 WannaCry ransomware attack that affected organizations in more than 150 countries. The group is also known to have targeted financial institutions, media companies, and government agencies.
Andariel is known to use a variety of malware in its attacks, including custom malware and off-the-shelf tools. The group has been linked to the use of malware such as FALLCHILL, which is a remote access trojan (RAT) that allows attackers to remotely control infected systems. Andariel has also been linked to the use of other types of malware that fits their mission objectives. On of them is the DTrack malware framework.
What is the DTrack malware ?
DTrack is a sophisticated backdoor that is made up of multiple components. Its core functionality includes operations to upload a file to the victim’s system, log keystrokes, capture screenshots, collect browsing history, steal files, infiltrate network systems, and send collected information to a remote host. It has been used in financial environments to breach ATMs, in ransomware attacks and in espionage activities.
The malware is delivered to target systems through various means, such as phishing campaigns or malware-laden websites. Once it is installed on a system, the malware is designed to evade detection and remain hidden while it collects information about the system and its users.
DTrack malware is capable of collecting a wide range of information, including system data, network information, and user data. It can also execute commands on the infected system, such as downloading additional malware or exfiltrating data. The malware is able to communicate with its command and control servers over encrypted channels, making it difficult for security teams to detect and disrupt its activities.
Although DTrack has not undergone many alterations through the years, there are some noteworthy modifications. The malicious software is concealed inside an executable that appears to be a seeming trustworthy program, and there is a sequence of steps of decryption prior to the malware delivering its payload.
It is evident that Andariel continues to regard DTrack as a valuable resource, based on the alterations made to its packing. Since the malware was first uncovered in 2019, few changes have been made to it. When investigating its targets, it can be seen that the scope of its operations has extended to Europe and Latin America, a trend that the researchers at Kaspersky have been noticing more frequently.
Why would North Korea Attacks European Union?
It is not uncommon for countries to use cyber attacks as a means of advancing their strategic interests or objectives. North Korea has been linked to a number of cyber attacks against organizations in Europe, as well as other parts of the world, and it is believed that the country may have several motivations for doing so.
One possible reason is to generate revenue. North Korea is subject to economic sanctions and has limited access to traditional sources of funding, so it is thought that the country may use cyber attacks as a means of generating income through activities such as stealing sensitive data or extorting organizations.
Another potential reason is to gather intelligence or disrupt the operations of targeted organizations. North Korea may use cyber attacks to gather information about political, economic, or military developments in other countries, or to disrupt the operations of organizations that are perceived as being hostile to the regime.
It is also possible that North Korea may use cyber attacks as a means of projecting power and influence beyond its borders. By demonstrating its ability to carry out successful cyber attacks, the country may hope to gain a strategic advantage in its relations with other countries.
There are a few potential trends that could shape the way that North Korea uses cyber attacks in the coming years. One possibility is that the country will continue to focus on generating revenue through cyber attacks, such as by stealing sensitive data or extorting organizations. North Korea is subject to economic sanctions and has limited access to traditional sources of funding, so it may rely on cyber attacks as a means of generating income.
Another trend that could emerge is an increased focus on targeted attacks against specific organizations or industries. North Korea has been linked to a number of high-profile attacks in the past, including the WannaCry ransomware attack and the Sony Pictures hack, and it is possible that the country will continue to target specific organizations or sectors that are deemed to be of strategic importance.
It is also possible that North Korea will continue to develop and improve its cyber capabilities, including the use of more sophisticated malware and techniques for evading detection. As with any country, North Korea’s cyber capabilities are likely to evolve over time as it seeks to advance its interests and objectives.
Overall, it is important for organizations and governments to be aware of the threat posed by North Korean cyber attacks and to take appropriate measures to protect themselves. This can include implementing strong cybersecurity measures, having effective monitoring and detection systems in place, and being prepared to respond to potential threats.