Datper

Datper is a Delphi-coded Remote Access Trojan (RAT) likely created by the threat actor group known as BRONZE BUTLER to replace an earlier malware variant, Daserf. This malware, along with Daserf and xxmm, communicates with Command and Control (C2) servers via HTTP, encrypting commands and data using specific encryption algorithms. Notably, Datper uses an RC4-encrypted configuration to obfuscate its HTTP traffic, which adds another layer of complexity to its detection and mitigation. In the course of its operations, BRONZE BUTLER has demonstrated a preference for using Datper and xxmm concurrently. These malware variants are capable of downloading additional payloads in a compressed and encoded format, typically executing the downloaded malware after decoding the file. Additionally, both Datper and xxmm contain an uploading feature that enables data exfiltration. Once the exfiltration process is complete, these malware immediately use the 'del' command to delete the RAR archives, thereby leaving minimal traces of their activities. The demand for this type of intelligence gathering, facilitated by malware like Datper, could be influenced by China’s ambitious economic growth goals. The BRONZE BUTLER group has utilized a broad range of tools, both publicly available ones like Mimikatz and gsecdump, and proprietary ones like Daserf and Datper. They also make use of various other proprietary malware such as xxmm, and open source RATs such as Lilith, indicating a diverse and adaptive approach to their cyber espionage campaigns.