Daserf
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Muirim | (Citation: Trend Micro Daserf Nov 2017) |
| Nioupale | (Citation: Trend Micro Daserf Nov 2017) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Daserf uses HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Daserf hides collected data in password-protected .rar archives.(Citation: Symantec Tick Apr 2016) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Daserf can execute shell commands.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Daserf uses custom base64 encoding to obfuscate HTTP traffic.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1001 | .002 | Data Obfuscation: Steganography |
Daserf can use steganography to hide malicious code downloaded to the victim.(Citation: Trend Micro Daserf Nov 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Daserf uses RC4 encryption to obfuscate HTTP traffic.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Daserf can log keystrokes.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.(Citation: Symantec Tick Apr 2016) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.(Citation: Symantec Tick Apr 2016) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
A version of Daserf uses the MPRESS packer.(Citation: Trend Micro Daserf Nov 2017) |
| .005 | Obfuscated Files or Information: Indicator Removal from Tools |
Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.(Citation: Trend Micro Daserf Nov 2017) |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Some Daserf samples were signed with a stolen digital certificate.(Citation: Symantec Tick Apr 2016) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER |
(Citation: Trend Micro Daserf Nov 2017) (Citation: Symantec Tick Apr 2016) |
References
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.