Cybersecurity training firm Cyberbit’s analysis of Dtrack RAT malware variant used in power plant attack finds dropper techniques similar to BackSwap and Ursnif trojans. Initially published in a blog post on its website, below is a summarized version with key points from it.
What is the research
In depth analysis of the Dtrack RAT malware variant used in the recent attack on a power plant in India. The Dtrack variant is considered a targeted attack since it hard coded credentials for KNPP’s internal network. Both the dropper and payload are carefully analyzed and complete findings shared with the malware research community via the Cyberbit blog.
What are the new findings
The Dtrack variant included hardcoded credentials for KNPP’s internal network, suggesting that it was a targeted attack. The malware droppers share techniques with previous malware that we had researched: BackSwap (A banker trojan) and Ursnif (a banker/stealer trojan).
Who is affected?
Potentially any organization but mostly highly-sensitive government, military, and such other critical infrastructure. This variant was carefully customized to specifically target this power plant.
What remediation steps can be taken immediately
Effective detection of this type of highly-targeted malware is likely to generate false-positives that require skilled analysts. This is not acceptable for AV, NGAV and most enterprise-grade EDR solutions and therefore they have difficulty detecting them. Based on the techniques/IOCs found in Cyberbit’s analysis, they suggest targeted critical organizations follow these detection steps.
• Use the hashes (SHA256) we mentioned and blacklist them. (*Note: new hashes emerge all the time, as they can easily be changed.)
• Search for programs that perform delayed execution using ping -n command.
• Search for excessive use of network configuration commands from a single host such as “netstat.exe”,“net.exe use”,”ipconfig.exe” and “netsh.exe”
• Search for process which add a new service usually named ‘WBService’
• Search for an unsigned file that is performing code injection/code hollowing into the Microsoft process
• Look for files where the description doesn’t match the icon. for example, “VNC Viewer” icon for a file described as “Safe Banking Launcher”...