Duuzer back door Trojan targets South Korea to take over computers

2015-10-26 • Symantec •

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

#Duuzer

Symantec reports that Duuzer was active against South Korea, with a particular focus on the manufacturing industry, although the activity was not limited to that region. The backdoor supports remote access, file download, data theft, system and drive enumeration, process control, file modification and deletion, and file timestamp changes. The malware attempts to evade analysis by checking for VirtualBox and VMware environments, and operators were observed manually renaming the malware to resemble installed legitimate software, adding Run-key persistence, mapping the local network, and attempting to disable Symantec Endpoint Protection. Symantec also links the same operators to Brambul and Joanap: Brambul brute-forces SMB with weak credentials and can expose the system drive, while Joanap registers as “SmartCard Protector” and communicates over RC4-encrypted connections to receive backdoor commands.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	37f652e2060066a1c2c317195573a33…	2015-10-26	2020-03-09
HASH	fd5a7e54cfdd3b3f32b44d8fdd845e6…	2015-10-26	2020-03-09
HASH	a1c483b0ee740291b91b11e18dd05f0…	2015-10-26	2020-03-09
HASH	3844ec6ec70347913bd1156f8cd159b8	2015-10-26	2018-02-15
HASH	4efeea9eeae3d668897206eeccb1444…	2015-10-26	2015-10-26
HASH	4a6aba1c182dd8304bac91cc9e1fc39…	2015-10-26	2015-10-26
HASH	1d8f0e2375f6bc1e045fa2f25cd4f7e0	2015-10-26	2015-10-26
HASH	fb6d81f4165b41febc739358aeba0fe…	2015-10-26	2015-10-26
HASH	c029ae20c314d7a0a2618f38ced03ba…	2015-10-26	2015-10-26
HASH	304cea78b53d8baaa2748c7b0bce5dd0	2015-10-26	2015-10-26
HASH	51b3e2c7a8ad29f296365972c8452621	2015-10-26	2015-10-26
HASH	9749a4b538022e2602945523192964ad	2015-10-26	2015-10-26
HASH	40878869de3fc5f23e14bc3f76541263	2015-10-26	2015-10-26
HASH	f032712aa20da98a1bbad7ae5d998767	2015-10-26	2015-10-26
HASH	91e5a64826f75f74a5ae123abdf7cef5	2015-10-26	2015-10-26
HASH	27a3498690d6e86f45229acd2ebc0510	2015-10-26	2015-10-26
HASH	8df658cba8f8cf0e2b85007f57d7928…	2015-10-26	2015-10-26
HASH	95a5f91931723a65dcd4a3937546da34	2015-10-26	2015-10-26
HASH	9c3e13e93f68970f2844fb8f1f87506…	2015-10-26	2015-10-26
HASH	4c5b8c3e0369eb738686c8a111dfe46…	2015-10-26	2015-10-26
HASH	90d8643e7e52f095ed59ed739167421…	2015-10-26	2015-10-26
HASH	73471f41319468ab207b8d5b33b0b4be	2015-10-26	2015-10-26
HASH	bb6cbebd4ffd642d437afc605c32eca0	2015-10-26	2015-10-26
HASH	cbf5f579ff16206b17f039c2dc0fa35…	2015-10-26	2015-10-26
HASH	7650d8c0874aa7d1f2a5a7d25511297…	2015-10-26	2015-10-26
HASH	7343f81a0e42ebf283415da7b3da253f	2015-10-26	2015-10-26
HASH	99d9f156c73bd69d5df1a1fe1b08c544	2015-10-26	2015-10-26
HASH	912905ec9d839ca8dfd6771ff5c17ae…	2015-10-26	2015-10-26
HASH	e04792e8e0959e66499bfacb2a76802b	2015-10-26	2015-10-26
HASH	a1ad82988af5d5b2c4003c42a81dda17	2015-10-26	2015-10-26
HASH	7a83c6cd46984a84c40d77e9acff28bc	2015-10-26	2015-10-26
HASH	41a6d7c944bd84329bd31bb07f83150a	2015-10-26	2015-10-26
HASH	66df7660ddae300b1fcf1098b698868…	2015-10-26	2015-10-26
HASH	4613f51087f01715bf9132c704aea2c2	2015-10-26	2015-10-26
HASH	f940a21971820a2fcf8433c28be1e967	2015-10-26	2015-10-26
HASH	d558bb63ed9f613d51badd8fea7e8ea…	2015-10-26	2015-10-26
HASH	6b71465e59eb1e266d47efeaecc256a…	2015-10-26	2015-10-26
HASH	7099093177094ea5cc3380b42c2556e…	2015-10-26	2015-10-26
HASH	1dea57b33a48c79743481371a19e17f…	2015-10-26	2015-10-26
HASH	cbb174815739c679f694e16484a65aa…	2015-10-26	2015-10-26
HASH	4b2d221deb0c8042780376cb565532f8	2015-10-26	2015-10-26
HASH	5a69bce8196b048f8b98f48c8f4950c…	2015-10-26	2015-10-26
HASH	a01bd92c02c9ef7c4785d8bf61ecff7…	2015-10-26	2015-10-26
HASH	1da344e5e55bef4307e257edd6f1e14…	2015-10-26	2015-10-26
HASH	074dc6c0fa12cadbc016b8b5b5b7b7c5	2015-10-26	2015-10-26
HASH	cd7a72be9c16c2ece1140bc461d6226d	2015-10-26	2015-10-26
HASH	b04fabf3a7a710aafe5bc2d899c0fc2b	2015-10-26	2015-10-26
HASH	9a179e1ca07c1f16c4c1c4ee517322d…	2015-10-26	2015-10-26
HASH	fd59af723b7a4044ab41f1b2a33350d6	2015-10-26	2015-10-26
HASH	0f844300318446a70c022f9487475490	2015-10-26	2015-10-26
HASH	5b28c86d7e581e52328942b35ece0d0…	2015-10-26	2015-10-26
HASH	c7024cf43d285ec9671e8dc1eae8728…	2015-10-26	2015-10-26
HASH	d57d772eefa6086b5c249efff01189c…	2015-10-26	2015-10-26
HASH	477ca3e7353938f75032d04e232eb2c…	2015-10-26	2015-10-26
HASH	3a963e1de08c9920c1dfe923bd4594ff	2015-10-26	2015-10-26
HASH	0622481f1c1e246289014e9fe3497e6…	2015-10-26	2015-10-26
HASH	c327de2239034b6f6978884b33582ce…	2015-10-26	2015-10-26
HASH	ca4c2009bf7ff17d556cc095a4ce06dd	2015-10-26	2015-10-26
HASH	61f46b86741c95336cdac3f07f42b7d…	2015-10-26	2015-10-26
HASH	d2e03115ef1525f82d70fc691f0360e…	2015-10-26	2015-10-26
HASH	a0a6d0e3af6e76264db1e0d4a4ad574…	2015-10-26	2015-10-26
HASH	1205c4bd5d02782cc4e66dfa3fef749c	2015-10-26	2015-10-26
HASH	92d618db54690c6ae193f07a31d92098	2015-10-26	2015-10-26
HASH	71cdcc903f94f56c758121d0b442690f	2015-10-26	2015-10-26
HASH	5f05a8f1e545457dbd42fe1329f79452	2015-10-26	2015-10-26
HASH	3e6be312a28b2633c8849d3e95e487b5	2015-10-26	2015-10-26
HASH	9ca7ec51a98c2b16fd7d9a985877a4ba	2015-10-26	2015-10-26
HASH	5b10cfb236d56a0f3ddaa5e9463ebf3…	2015-10-26	2015-10-26
HASH	47181c973a8a69740b710a420ea8f6b…	2015-10-26	2015-10-26
HASH	1db2dced6dfa04ed75b246ff2784046a	2015-10-26	2015-10-26
HASH	4cf3a7e17dc4628725dd34b8e98238e…	2015-10-26	2015-10-26
HASH	84a3f8941bb4bf15ba28090f8bc0faec	2015-10-26	2015-10-26
HASH	1c532fad2c60636654d4c778cfe10408	2015-10-26	2015-10-26
HASH	89b25f9a454240a3f52de9bf6f9a829…	2015-10-26	2015-10-26
HASH	fb4caaaf1ac1df378d05111d810a833e	2015-10-26	2015-10-26
HASH	f273d1283364625f986050bdf7dec8bb	2015-10-26	2015-10-26
HASH	230c2727e26467e16b5cf3ca37ecb84…	2015-10-26	2015-10-26

Related Reports

2020-03-09 • 1% Match

The Lazarus Constellation - A study on North-Korean malware

Lexfo

#Whitepaper #Lazarus

Shares 3 IOCs

« Back