Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [1] [2]

ID: S0187
Associated Software: Muirim, Nioupale

Platforms: Windows

Version: 1.0

Associated Software Descriptions


Techniques Used

EnterpriseT1116Code SigningSome Daserf samples were signed with a stolen digital certificate.[3]
EnterpriseT1059Command-Line InterfaceDaserf can execute shell commands.[1][2]
EnterpriseT1003Credential DumpingDaserf leverages Mimikatz and Windows Credential Editor to steal credentials.[3]
EnterpriseT1002Data CompressedDaserf hides collected data in password-protected .rar archives.[3]
EnterpriseT1132Data EncodingDaserf uses custom base64 encoding to obfuscate HTTP traffic.[2]
EnterpriseT1022Data EncryptedDaserf hides collected data in password-protected .rar archives.[3]
EnterpriseT1001Data ObfuscationDaserf can use steganography to hide malicious code downloaded to the victim.[1]
EnterpriseT1066Indicator Removal from ToolsAnalysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[1]
EnterpriseT1056Input CaptureDaserf can log keystrokes.[1][2]
EnterpriseT1036MasqueradingDaserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[3]
EnterpriseT1027Obfuscated Files or InformationDaserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[1]
EnterpriseT1105Remote File CopyDaserf can download remote files.[1][2]
EnterpriseT1113Screen CaptureDaserf can take screenshots.[1][2]
EnterpriseT1045Software PackingA version of Daserf uses the MPRESS packer.[1]
EnterpriseT1071Standard Application Layer ProtocolDaserf uses HTTP for C2.[2]
EnterpriseT1032Standard Cryptographic ProtocolDaserf uses RC4 encryption to obfuscate HTTP traffic.[2]


Groups that use this software: