Home
Software
Daserf

Daserf

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi.^[1]^[2]

ID: S0187

ⓘ

Associated Software: Muirim, Nioupale

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 16 January 2018

Last Modified: 25 April 2025

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
Muirim	^[1]
Nioupale	^[1]

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol:Web Protocols	Daserf uses HTTP for C2.^[2]
Enterprise	T1560		Archive Collected Data	Daserf hides collected data in password-protected .rar archives.^[3]
		.001	Archive via Utility	Daserf hides collected data in password-protected .rar archives.^[3]
Enterprise	T1059	.003	Command and Scripting Interpreter:Windows Command Shell	Daserf can execute shell commands.^[1]^[2]
Enterprise	T1132	.001	Data Encoding:Standard Encoding	Daserf uses custom base64 encoding to obfuscate HTTP traffic.^[2]
Enterprise	T1001	.002	Data Obfuscation:Steganography	Daserf can use steganography to hide malicious code downloaded to the victim.^[1]
Enterprise	T1573	.001	Encrypted Channel:Symmetric Cryptography	Daserf uses RC4 encryption to obfuscate HTTP traffic.^[2]
Enterprise	T1105		Ingress Tool Transfer	Daserf can download remote files.^[1]^[2]
Enterprise	T1056	.001	Input Capture:Keylogging	Daserf can log keystrokes.^[1]^[2]
Enterprise	T1036	.005	Masquerading:Match Legitimate Resource Name or Location	Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.^[3]
Enterprise	T1027		Obfuscated Files or Information	Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.^[1]
		.002	Software Packing	A version ofDaserf uses the MPRESS packer.^[1]
		.005	Indicator Removal from Tools	Analysis ofDaserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.^[1]
Enterprise	T1003	.001	OS Credential Dumping:LSASS Memory	Daserf leveragesMimikatz andWindows Credential Editor to steal credentials.^[3]
Enterprise	T1113		Screen Capture	Daserf can take screenshots.^[1]^[2]
Enterprise	T1553	.002	Subvert Trust Controls:Code Signing	SomeDaserf samples were signed with a stolen digital certificate.^[3]

Groups That Use This Software

ID	Name	References
G0060	BRONZE BUTLER	^[1]^[3]

References

DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.