Tuesday, December 3, 2024
HomeBackdoorA New Hacking Group Spreading Sophisticated "Daserf" Backdoor using Steganography

A New Hacking Group Spreading Sophisticated “Daserf” Backdoor using Steganography

Published on

SIEM as a Service

A new Cyber cyberespionage group called REDBALDKNIGHT Spreading advance Daserf Backdoor against Japanese based government agencies such as biotechnology, electronics manufacturing, and industrial chemistry systems.

This sophisticated backdoor capable of performing some dangerous activities including execute shell commands, download and upload data, take screenshots, and log keystrokes.

Unlike other backdoors, it has some stealthy techniques to evade detection and its use steganography, embedding codes are using to hide the malicious code with a spreading medium such as images.

- Advertisement - SIEM as a Service

Also Read: Dangerous Cyber Espionage Group Called Sowbug Spotted Conducting High Profile Cyber Attacks

Attackers using some social engineering techniques as well to reach out their malware and indicator are mainly translated into the Japanese Language.

According to Trend Micro Report,The decoy documents they use in their attack chain are written in fluent Japanese, and particularly, created via the Japanese word processor Ichitaro.
“Decoy Documents” are automatically generated and stored on a file system by the D3 System with the aim of enticing a malicious user.The decoy documents contain several different types of bogus credentials that when used, trigger an alert.

This Decoy document sending Across to victims using Spearphishing Emails such as disaster prevention” Plans for the targeted organization.

How Does Daserf Backdoor  Attack Chain Works

Traditional Spearphishing emails are using for the intial entry point of REDBALDKNIGHT’s attacks with attacked  Decoy document that contains Trojan downloader that will help to retrieve the original Daserf backdoor.

Once Victims opened the file, it will communicate with attacked owned compromised site and that will have embedded  Daserf backdoor file.

Daserf Backdoor connected to another compromised site to Download an Image that will be either the encrypted backdoor configurations or hacking tool.

Daserf Backdoor

Execution Flow of Daserf Backdoor

Later Daserf Backdoor connect to its C&C and await for commands form Attacker to initiate the further Malicious activities.

In this case Trojan downloader act as an initial level of Backdoor that is capable of open the shell and also  XXMM, xxmm2_ steganography is used to hide malicious code within an image file.

EDBALDKNIGHT’s tool can create, embed, and hide executables or configuration files within the image file with its tag and encrypted strings via steganography. An encrypted string can be an executable file or a URL.

Daserf Backdoor regularly undergo technical improvements used to evade the traditional antivirus detection also it users the MPRESS packer that helps to protect against AV detection and reverse engineering phase.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

SMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access...

Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform,...

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....