Jepashrprtst,Good Air Jet Loom

This is not acceptable for AV, NGAV and most enterprise-grade EDR solutions and therefore they have difficulty detecting them. The Dtrack variant is considered a targeted attack since it hard coded credentials for KNPP’s internal network.” Search for process which add a new service usually named ‘WBService’ Search for an unsigned file that is performing code injection/code hollowing into the Microsoft process. SHJ-A Weft Feeder Look for files where the description doesn’t match the icon.

This variant was carefully customized to specifically target this power plant.Cybersecurity training firm Cyberbit’s analysis of Dtrack RAT malware variant used in power plant attack finds dropper techniques similar to BackSwap and Ursnif. Initially published in a blog poston its website, below is a summarized version with key points from it.Who is affected?Potentially any organization but mostly highly-sensitive government, military, and such other critical infrastructure.Use the hashes (SHA256) we mentioned and blacklist them. Both the dropper and payload are carefully analyzed and complete findings shared with the malware research community via the Cyberbit blog.

Search for excessive use of network configuration commands from a single host such as “netstat.exe use”,”ipconfig. The malware droppers share techniques with previous malware that we had researched: BackSwap (A banker trojan) and Ursnif (a banker/stealer trojan). Based on the techniques/IOCs found in Cyberbit’s analysis, they suggest targeted critical organizations follow these detection steps.What new findings are you publishing: The Dtrack variant included hardcoded credentials for KNPP’s internal network, suggesting that it was a targeted attack. North Korean Lazarus Group and other nationWhat remediation steps can be taken immediatelyEffective detection of this type of highly-targeted malware is likely to generate false-positives that require skilled analysts.

Search for programs that perform delayed execution using ping -n command. for example, “VNC Viewer” icon for a file described as “Safe Banking Launcher”.What is the research: In depth analysis of the Dtrack RAT malware variant used in the recent attack on a power plant in India