Daserf

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Daserf is a sophisticated malware, custom-developed for use in Tick's cyberespionage campaigns. It is capable of exploiting and damaging computer systems by stealing personal information, disrupting operations, and relaying stolen data back to attacker-controlled servers. The Daserf Trojan employs numerous tactics to avoid detection, including the use of file and folder names related to legitimate programs often found in Windows environments, enabling it to blend into its surroundings. One variant of Daserf was compiled on July 8, 2015, indicating the long-standing nature of this threat. A downloader is installed on the victim’s machine and retrieves Daserf from a compromised site, further facilitating the spread of this malicious software. Daserf utilizes various proprietary malware such as Daserf itself, xxmm, and Datper, along with open-source Remote Access Trojans (RATs) like Lilith. The malware demonstrates code overlap and shares encryption algorithms with other malware like xxmm and Datper, hinting at a common source or developer. For instance, Daserf's decode function mirrors that of xxmm's, and the steganography algorithm between xxmm and Daserf are identical. This shared coding and encryption methodology strengthens the malware's ability to evade detection and carry out its nefarious activities. The most distinctive feature of Daserf is its use of steganography, which not only enables the backdoor to bypass firewalls but also allows the attackers to change second-stage Command & Control (C2) communication or backdoor more conveniently. This technique makes Daserf highly adaptable and difficult to counteract. Daserf, Datper, and xxmm communicate with C2 servers via HTTP, encrypting commands and data using specific algorithms, further enhancing their stealth and effectiveness. As such, Daserf represents a significant cybersecurity threat, underlining the need for robust digital security measures.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Daserf Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
BRONZE BUTLER Hacker Group Targets Japanese Enterprises
MITRE
a year ago
REDBALDKNIGHT’s Daserf Backdoor Now Uses Steganography
MITRE
a year ago
Endpoint Protection - Symantec Enterprise
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity