14 DAY TRIAL // Since mid-July, South Korean organizations have been under attack from the Duuzer malware, a backdoor trojan that allows attackers access and some control over infected systems.
Duuzer was discovered by Symantec researchers, who say that most of the attacks have been recorded on computers belonging to organizations working in the manufacturing sector.
According to their research, the trojan, detected as Backdoor.Duuzer, does not discriminate among its victims and infects both 32- and 64-bit computers.
Duuzer infections usually occur via spear phishing campaigns & watering hole attacks
Symantec cannot say how infections occur, but taking into account similar attacks on South Korean organizations, the most obvious routes are via spear phishing campaigns and classic watering hole attacks.
Once the malware infects computers, it comes with a special module, which almost all recent malware strains include and which can check if it runs on a virtual machine like VMWare or Virtual Box.
If this happens, to avoid detection or further analysis from security researchers, the malware stops executing and shuts itself down.
If the infected PC belongs to a real user, Duuzer's first operation is to set up a backdoor on the computer, which will allow its creators manual access.
Using the backdoor, attackers can connect to that PC and run a series of operations. They can gather system and drive details, alter local OS processes and local files, upload or download files, change file time-related metadata, and even execute local commands.
Brambul and Joanap infections also detected
Besides the Duuzer backdoor, Symantec researchers also observed a series of other malware. These are the Brambul worm and the Joanap backdoor trojan, both working together most of the time, and generally used for logging and monitoring infected systems from afar.
The Brambul infection is usually the one that occurs first, and later loads Joanap.
"Computers infected with Brambul have been used as command-and-control (C&C) servers for Duuzer and have also been compromised with Duuzer," says the Symantec Security Response team.
Once the Brambul worm infects a computer, it connects to random IP addresses on the local network and tries to authenticate itself using brute-force attacks via the SMB (Server Message Block) protocol, infecting other machines.
This way, the worm distributes itself without any need for attackers to run manual commands.
In addition to attacking other computers via SMB, Brambul also creates a network share on infected devices, usually the C: drive, and sends login credentials to a predefined email address.
Duuzer, Brambul and Joanap seem to be part of a bigger master plan
At this point, Brambul has been observed to drop other malware on infected systems, either Duuzer or Joanap.
If Joanap is downloaded and installed, it will register itself as a local operating system service with the name "SmartCard Protector," open a backdoor, and start sending files to its owners, execute other files, and propagate instructions it receives from the C&C server.
While many campaigns see hackers usually employ one single tool to compromise targets, the usage of multiple tools with this campaign points to state-sponsored hacking groups that possess the manpower and funds to carry out such complex attack scenarios.