Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [1] [2]

ID: S0187
Associated Software: Muirim, Nioupale
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Muirim [1]
Nioupale [1]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing Some Daserf samples were signed with a stolen digital certificate.[3]
Enterprise T1059 Command-Line Interface Daserf can execute shell commands.[1][2]
Enterprise T1003 Credential Dumping Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[3]
Enterprise T1002 Data Compressed Daserf hides collected data in password-protected .rar archives.[3]
Enterprise T1132 Data Encoding Daserf uses custom base64 encoding to obfuscate HTTP traffic.[2]
Enterprise T1022 Data Encrypted Daserf hides collected data in password-protected .rar archives.[3]
Enterprise T1001 Data Obfuscation Daserf can use steganography to hide malicious code downloaded to the victim.[1]
Enterprise T1066 Indicator Removal from Tools Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[1]
Enterprise T1056 Input Capture Daserf can log keystrokes.[1][2]
Enterprise T1036 Masquerading Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[3]
Enterprise T1027 Obfuscated Files or Information Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[1]
Enterprise T1105 Remote File Copy Daserf can download remote files.[1][2]
Enterprise T1113 Screen Capture Daserf can take screenshots.[1][2]
Enterprise T1045 Software Packing A version of Daserf uses the MPRESS packer.[1]
Enterprise T1071 Standard Application Layer Protocol Daserf uses HTTP for C2.[2]
Enterprise T1032 Standard Cryptographic Protocol Daserf uses RC4 encryption to obfuscate HTTP traffic.[2]


Groups that use this software: