Malware found targeting Indian financial institutions, ATM: Kaspersky

A malware has been found active in some of the Indian financial institutions and research centres that can steal information from their systems as well as manipulate it, cyber security firm Kaspersky said on Monday.

Researchers of the company have attributed the development of the malicious software to cyber espionage group Lazarus, which has been associated with Wannacry ransomware infections that affected several systems in India in 2017.

"Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centres.

"Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims' systems, record keystrokes and conduct other actions typical of a malicious remote administration tool (RAT)," Kaspersky said in a statement.

In 2018, Kaspersky researchers discovered ATMDtrack, a malware that was created to infiltrate Indian ATMs and steal customer card data.

The team further investigated the malware and found more than 180 new malware samples that had similarity to ATMDtrack but these samples were not aimed at ATMs.

"Instead their list of functions defined them as spy tools -- now known as Dtrack. Dtrack can be used as a remote admin tool (RAT), giving threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes," the statement said.

Kaspersky said if the malware Dtrack is successfully implemented, it can list all available files and running processes, key logging, browser history and host IP addresses -- including information about available networks and active connections.

"Lazarus is a rather unusual nation state-sponsored group. On one hand, as many other similar groups do, it focuses on conducting cyber espionage or sabotage operations. Yet, on the other hand, it has also been found to influence attacks that are clearly aimed at stealing money," Konstantin Zykov, Security Researcher at Kaspersky's Global Research and Analysis Team, said.

The newly discovered malware is active and based on Kaspersky telemetry, and is still used in cyberattacks, the statement said.

"Their (Lazarus) successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets," Zykov said.