S0187 Daserf
Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. 1 2
| Item | Value |
|---|---|
| ID | S0187 |
| Associated Names | Muirim, Nioupale |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Muirim | 1 |
| Nioupale | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Daserf uses HTTP for C2.2 |
| enterprise | T1560 | Archive Collected Data | Daserf hides collected data in password-protected .rar archives.3 |
| enterprise | T1560.001 | Archive via Utility | Daserf hides collected data in password-protected .rar archives.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Daserf can execute shell commands.12 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Daserf uses custom base64 encoding to obfuscate HTTP traffic.2 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.002 | Steganography | Daserf can use steganography to hide malicious code downloaded to the victim.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Daserf uses RC4 encryption to obfuscate HTTP traffic.2 |
| enterprise | T1105 | Ingress Tool Transfer | Daserf can download remote files.12 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Daserf can log keystrokes.12 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.3 |
| enterprise | T1027 | Obfuscated Files or Information | Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.1 |
| enterprise | T1027.002 | Software Packing | A version of Daserf uses the MPRESS packer.1 |
| enterprise | T1027.005 | Indicator Removal from Tools | Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.3 |
| enterprise | T1113 | Screen Capture | Daserf can take screenshots.12 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Some Daserf samples were signed with a stolen digital certificate.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER | 13 |
References
-
Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. ↩↩↩↩↩↩↩↩
-
DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. ↩↩↩↩↩↩