Daserf

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Daserf is a sophisticated malware, custom-developed for use in Tick's cyberespionage campaigns. It is capable of exploiting and damaging computer systems by stealing personal information, disrupting operations, and relaying stolen data back to attacker-controlled servers. The Daserf Trojan employs numerous tactics to avoid detection, including the use of file and folder names related to legitimate programs often found in Windows environments, enabling it to blend into its surroundings. One variant of Daserf was compiled on July 8, 2015, indicating the long-standing nature of this threat. A downloader is installed on the victim’s machine and retrieves Daserf from a compromised site, further facilitating the spread of this malicious software. Daserf utilizes various proprietary malware such as Daserf itself, xxmm, and Datper, along with open-source Remote Access Trojans (RATs) like Lilith. The malware demonstrates code overlap and shares encryption algorithms with other malware like xxmm and Datper, hinting at a common source or developer. For instance, Daserf's decode function mirrors that of xxmm's, and the steganography algorithm between xxmm and Daserf are identical. This shared coding and encryption methodology strengthens the malware's ability to evade detection and carry out its nefarious activities. The most distinctive feature of Daserf is its use of steganography, which not only enables the backdoor to bypass firewalls but also allows the attackers to change second-stage Command & Control (C2) communication or backdoor more conveniently. This technique makes Daserf highly adaptable and difficult to counteract. Daserf, Datper, and xxmm communicate with C2 servers via HTTP, encrypting commands and data using specific algorithms, further enhancing their stealth and effectiveness. As such, Daserf represents a significant cybersecurity threat, underlining the need for robust digital security measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Datper	1	Datper is a Delphi-coded Remote Access Trojan (RAT) likely created by the threat actor group known as BRONZE BUTLER to replace an earlier malware variant, Daserf. This malware, along with Daserf and xxmm, communicates with Command and Control (C2) servers via HTTP, encrypting commands and data using

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Downloader

Malware

Windows

Trojan

Steganography

Phishing

Rat

Encryption

Payload

Encrypt

Backdoor

Exploits

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Xxmm	is related to	2	xxmm is a malicious software (malware) that has been observed to be used in tandem with other malware types, including Daserf and Datper, by the threat group BRONZE BUTLER. These malware communicate with their command and control (C2) servers via HTTP, encrypting commands and data using specific alg

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
BRONZE BUTLER	Unspecified	1	Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov
Tick	Unspecified	1	Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami
REDBALDKNIGHT	Unspecified	1	REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Daserf Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	BRONZE BUTLER Hacker Group Targets Japanese Enterprises
MITRE	a year ago	REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography
MITRE	a year ago	Endpoint Protection - Symantec Enterprise
MITRE	a year ago	Exchange servers under siege from at least 10 APT groups \| WeLiveSecurity