Daserf

Daserf is a sophisticated malware, custom-developed for use in Tick's cyberespionage campaigns. It is capable of exploiting and damaging computer systems by stealing personal information, disrupting operations, and relaying stolen data back to attacker-controlled servers. The Daserf Trojan employs numerous tactics to avoid detection, including the use of file and folder names related to legitimate programs often found in Windows environments, enabling it to blend into its surroundings. One variant of Daserf was compiled on July 8, 2015, indicating the long-standing nature of this threat. A downloader is installed on the victim’s machine and retrieves Daserf from a compromised site, further facilitating the spread of this malicious software. Daserf utilizes various proprietary malware such as Daserf itself, xxmm, and Datper, along with open-source Remote Access Trojans (RATs) like Lilith. The malware demonstrates code overlap and shares encryption algorithms with other malware like xxmm and Datper, hinting at a common source or developer. For instance, Daserf's decode function mirrors that of xxmm's, and the steganography algorithm between xxmm and Daserf are identical. This shared coding and encryption methodology strengthens the malware's ability to evade detection and carry out its nefarious activities. The most distinctive feature of Daserf is its use of steganography, which not only enables the backdoor to bypass firewalls but also allows the attackers to change second-stage Command & Control (C2) communication or backdoor more conveniently. This technique makes Daserf highly adaptable and difficult to counteract. Daserf, Datper, and xxmm communicate with C2 servers via HTTP, encrypting commands and data using specific algorithms, further enhancing their stealth and effectiveness. As such, Daserf represents a significant cybersecurity threat, underlining the need for robust digital security measures.