1. Home
  2. Software
  3. Daserf

Daserf

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [1] [2]

ID: S0187
Associated Software: Muirim, Nioupale
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Muirim

[1]
Nioupale

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Daserf uses HTTP for C2.[2]
Enterprise T1560 Archive Collected Data

Daserf hides collected data in password-protected .rar archives.[3]
.001 Archive via Utility

Daserf hides collected data in password-protected .rar archives.[3]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Daserf can execute shell commands.[1][2]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Daserf uses custom base64 encoding to obfuscate HTTP traffic.[2]
Enterprise T1001 .002 Data Obfuscation: Steganography

Daserf can use steganography to hide malicious code downloaded to the victim.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Daserf uses RC4 encryption to obfuscate HTTP traffic.[2]
Enterprise T1105 Ingress Tool Transfer

Daserf can download remote files.[1][2]
Enterprise T1056 .001 Input Capture: Keylogging

Daserf can log keystrokes.[1][2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[3]
Enterprise T1027 Obfuscated Files or Information

Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[1]
.002 Software Packing

A version of Daserf uses the MPRESS packer.[1]
.005 Indicator Removal from Tools

Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[3]
Enterprise T1113 Screen Capture

Daserf can take screenshots.[1][2]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Some Daserf samples were signed with a stolen digital certificate.[3]

Groups That Use This Software

ID Name References
G0060 BRONZE BUTLER

[1][3]

References

  1. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  2. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  1. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.