Skip to content

S0187 Daserf

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. 1 2

Item Value
ID S0187
Associated Names Muirim, Nioupale
Type MALWARE
Version 1.1
Created 16 January 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Muirim 1
Nioupale 1

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Daserf uses HTTP for C2.2
enterprise T1560 Archive Collected Data Daserf hides collected data in password-protected .rar archives.3
enterprise T1560.001 Archive via Utility Daserf hides collected data in password-protected .rar archives.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Daserf can execute shell commands.12
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Daserf uses custom base64 encoding to obfuscate HTTP traffic.2
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography Daserf can use steganography to hide malicious code downloaded to the victim.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Daserf uses RC4 encryption to obfuscate HTTP traffic.2
enterprise T1105 Ingress Tool Transfer Daserf can download remote files.12
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Daserf can log keystrokes.12
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.3
enterprise T1027 Obfuscated Files or Information Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.1
enterprise T1027.002 Software Packing A version of Daserf uses the MPRESS packer.1
enterprise T1027.005 Indicator Removal from Tools Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.3
enterprise T1113 Screen Capture Daserf can take screenshots.12
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Some Daserf samples were signed with a stolen digital certificate.3

Groups That Use This Software

ID Name References
G0060 BRONZE BUTLER 13

References

Back to top