Daserf is an example of a backdoor, malware that provides attackers with access to the compromised system. It’s commonly used for data theft, as you can see from the number of AlienVault blog posts that include the term.
The Daserf malware has been around for about 10 years, created by a low-profile team that the security response crew at Symantec named ‘Tick’. Daserf is used by Tick to harvest data from its victims. Tick’s most recent attacks have focused on technology, aquatic engineering, and broadcasting segments in Japan. However, it has also compromised systems in the US, Australia, India, Singapore, and South Korea.
How it Works
Tick has used different methods to compromise the targeted systems to install the Daserf malware. One approach was to compromise web sites by exploiting a Flash vulnerability and launch a watering hole attack. The watering hole technique enables an attacker to infect visitors to the website with malware, and Tick used it to install a downloader (Gofarer). This downloader first collects information about the victim’s device and then installs Daserf.
Another approach used by Tick is spear phishing, to get the malware installed on the victims’ devices (Spear phishing often involves the use of targeted emails with attachments containing malware to get the victims to install malware directly).
The Daserf malware has some interesting features to reduce the chance of detection. One is that some versions of it utilized stolen digital certificates to appear legitimate to antimalware tools. Another is to store the harvested data in .rar file format, which many users cannot open without installing an additional file management utility on their systems.
Figure 1 below illustrates the use of a watering hole technique to install the downloader, which then installs the backdoor, which then harvests data and sends it back to the C&C server.
Impact on you
Daserf was created to avoid detection and harvest data from targeted organizations. Although focused primarily on Japan, Daserf has been used to target organizations outside of Japan, so you should not consider yourself immune from this threat. It exploits vulnerabilities in common applications and operating systems to gain access to victims’ devices, and you can reduce your exposure to this data harvesting attack (and other attacks), with regular vulnerably assessment scans. These scans will identify any vulnerable systems, which enables you to remediate vulnerabilities before attackers can exploit them.
How AlienVault Helps
The AlienVault Unified Security Management (USM) platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like Daserf. One of the essential security capabilities built into the USM platform is Vulnerability Assessment, which can identify vulnerable systems that attacks like Daserf exploit. You can configure the USM platform to conduct these scans automatically and provide you with a comprehensive view of all vulnerable systems on your network.
The AlienVault Labs team regularly updates the rulesets that drive the all of the threat detection and response capabilities of the AlienVault USM platform, to keep you up to date with new and evolving threats. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.
The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a system compromised by Daserf. Learn more about these updates in the latest Threat Intelligence Update summary posted in our Forums, where you can keep up to date on the latest threat intelligence updates, product news, and engage with your fellow Aliens.
Our AlienVault Labs team and the Open Threat Exchange (OTX) community will continue to monitor the behavior of this threat, and will update the information in OTX when appropriate.
Also, the integration between our OTX and USM means that you get alerted whenever indicators of compromise (IOCs) being discussed in OTX are present in your network. The result is that USM customers are up to date on the latest threat vectors, attacker techniques and defenses. Even if you don’t have USM, you can create a free account in OTX and interact with the community.