Daserf

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [1] [2]

ID: S0187
Associated Software: Muirim, Nioupale
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Muirim [1]
Nioupale [1]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Daserf uses HTTP for C2.[2]

Enterprise T1560 Archive Collected Data

Daserf hides collected data in password-protected .rar archives.[3]

.001 Archive via Utility

Daserf hides collected data in password-protected .rar archives.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Daserf can execute shell commands.[1][2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Daserf uses custom base64 encoding to obfuscate HTTP traffic.[2]

Enterprise T1001 .002 Data Obfuscation: Steganography

Daserf can use steganography to hide malicious code downloaded to the victim.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Daserf uses RC4 encryption to obfuscate HTTP traffic.[2]

Enterprise T1105 Ingress Tool Transfer

Daserf can download remote files.[1][2]

Enterprise T1056 .001 Input Capture: Keylogging

Daserf can log keystrokes.[1][2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[3]

Enterprise T1027 Obfuscated Files or Information

Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[1]

.005 Indicator Removal from Tools

Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[1]

.002 Software Packing

A version of Daserf uses the MPRESS packer.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[3]

Enterprise T1113 Screen Capture

Daserf can take screenshots.[1][2]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Some Daserf samples were signed with a stolen digital certificate.[3]

Groups That Use This Software

ID Name References
G0060 BRONZE BUTLER

[1][3]

References