Thursday, March 28, 2024

A New Hacking Group Spreading Sophisticated “Daserf” Backdoor using Steganography

A new Cyber cyberespionage group called REDBALDKNIGHT Spreading advance Daserf Backdoor against Japanese based government agencies such as biotechnology, electronics manufacturing, and industrial chemistry systems.

This sophisticated backdoor capable of performing some dangerous activities including execute shell commands, download and upload data, take screenshots, and log keystrokes.

Unlike other backdoors, it has some stealthy techniques to evade detection and its use steganography, embedding codes are using to hide the malicious code with a spreading medium such as images.

Also Read: Dangerous Cyber Espionage Group Called Sowbug Spotted Conducting High Profile Cyber Attacks

Attackers using some social engineering techniques as well to reach out their malware and indicator are mainly translated into the Japanese Language.

According to Trend Micro Report,The decoy documents they use in their attack chain are written in fluent Japanese, and particularly, created via the Japanese word processor Ichitaro.
“Decoy Documents” are automatically generated and stored on a file system by the D3 System with the aim of enticing a malicious user.The decoy documents contain several different types of bogus credentials that when used, trigger an alert.

This Decoy document sending Across to victims using Spearphishing Emails such as disaster prevention” Plans for the targeted organization.

How Does Daserf Backdoor  Attack Chain Works

Traditional Spearphishing emails are using for the intial entry point of REDBALDKNIGHT’s attacks with attacked  Decoy document that contains Trojan downloader that will help to retrieve the original Daserf backdoor.

Once Victims opened the file, it will communicate with attacked owned compromised site and that will have embedded  Daserf backdoor file.

Daserf Backdoor connected to another compromised site to Download an Image that will be either the encrypted backdoor configurations or hacking tool.

Daserf Backdoor

Execution Flow of Daserf Backdoor

Later Daserf Backdoor connect to its C&C and await for commands form Attacker to initiate the further Malicious activities.

In this case Trojan downloader act as an initial level of Backdoor that is capable of open the shell and also  XXMM, xxmm2_ steganography is used to hide malicious code within an image file.

EDBALDKNIGHT’s tool can create, embed, and hide executables or configuration files within the image file with its tag and encrypted strings via steganography. An encrypted string can be an executable file or a URL.

Daserf Backdoor regularly undergo technical improvements used to evade the traditional antivirus detection also it users the MPRESS packer that helps to protect against AV detection and reverse engineering phase.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles