Top

Study shows similarities between KKNP cyberattack malware and two trojans

Below are summarized take aways from Cybersecurity training firm Cyberbit's study of the cyberattack which took place last month.

Cybersecurity training firm Cyberbit’s analysis of Dtrack RAT malware variant used in power plant attack finds dropper techniques similar to BackSwap and Ursnif. Initially published in a blog poston its website, below is a summarized version with key points from it.

What is the research: In depth analysis of the Dtrack RAT malware variant used in the recent attack on a power plant in India. The Dtrack variant is considered a targeted attack since it hard coded credentials for KNPP’s internal network. Both the dropper and payload are carefully analyzed and complete findings shared with the malware research community via the Cyberbit blog.

What new findings are you publishing: The Dtrack variant included hardcoded credentials for KNPP’s internal network, suggesting that it was a targeted attack. The malware droppers share techniques with previous malware that we had researched: BackSwap (A banker trojan) and Ursnif (a banker/stealer trojan).

Who is affected?

Potentially any organization but mostly highly-sensitive government, military, and such other critical infrastructure. This variant was carefully customized to specifically target this power plant. North Korean Lazarus Group and other nation

What remediation steps can be taken immediately

Effective detection of this type of highly-targeted malware is likely to generate false-positives that require skilled analysts. This is not acceptable for AV, NGAV and most enterprise-grade EDR solutions and therefore they have difficulty detecting them. Based on the techniques/IOCs found in Cyberbit’s analysis, they suggest targeted critical organizations follow these detection steps.

• Use the hashes (SHA256) we mentioned and blacklist them. (*Note: new hashes emerge all the time, as they can easily be changed.)

• Search for programs that perform delayed execution using ping -n command.

• Search for excessive use of network configuration commands from a single host such as “netstat.exe”,“net.exe use”,”ipconfig.exe” and “netsh.exe”

• Search for process which add a new service usually named ‘WBService’

• Search for an unsigned file that is performing code injection/code hollowing into the Microsoft process

• Look for files where the description doesn’t match the icon. for example, “VNC Viewer” icon for a file described as “Safe Banking Launcher”

Next Story