Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Duuzer” Trojan Used to Target South Korean Organizations

Malicious actors have been using a backdoor Trojan dubbed by researchers “Duuzer” to steal valuable information from organizations in South Korea and elsewhere, Symantec reported on Monday.

Malicious actors have been using a backdoor Trojan dubbed by researchers “Duuzer” to steal valuable information from organizations in South Korea and elsewhere, Symantec reported on Monday.

According to the security firm, Duuzer has mainly been used in targeted attacks aimed at the manufacturing industry in South Korea. The threat gives attackers remote access to the infected devices, allowing them to collect system information, access and modify files, upload and download files, and execute commands.

Symantec discovered the malware, which it detects as Backdoor.Duuzer, on August 21, but based on the indicators of compromise (IoC) provided by the company, the threat appears to have been around since at least July 20.

It’s currently unclear how the malware is being distributed, but experts believe the attackers are relying on spear phishing emails and watering hole attacks.

The Trojan, designed to work on both 32-bit and 64-bit systems, checks for the presence of VMware and Virtualbox virtual machines to ensure that it’s not being analyzed by researchers before performing its malicious routines. Another method used to avoid detection involves renaming the malware after an existing legitimate piece of software that is configured to run on startup.

“The attackers appear to be manually running commands through the back door on affected computers. In one case, we observed the attackers creating a camouflaged version of their malware, and in another, we saw them attempting to, but failing to deactivate Symantec Endpoint Protection (SEP),” Symantec said in a blog post.

The threat actors behind Duuzer appear to be responsible for two other pieces of malware that have been making the rounds in South Korea. These threats, detected as W32.Brambul and Backdoor.Joanap, are used by the attackers to download additional payloads and conduct reconnaissance on infected machines.

Brambul is a worm that spreads from one computer to another by relying on brute-force attacks aimed at the Server Message Block (SMB) protocol, which is normally used for providing shared access to files, printers, and serial ports. Brambul is designed to connect to random IP addresses and authenticate through SMB using common passwords, such as “password,” “login,” “123123,” “abc123” and “iloveyou.”

Advertisement. Scroll to continue reading.

Once it infects a device, the malware creates a network share to provide the attackers access to the system drive, after which it sends an email containing the computer’s details and login credentials to a preconfigured address. In some cases, the threat also downloads other malicious elements.

Joanap, which is dropped alongside Brambul, opens a backdoor on the infected system, sends specific files to the attackers, downloads and executes files, and executes or terminates processes.

According to Symantec, Duuzer is associated with both Joanap and Brambul. Experts discovered that Brambul-infected computers have also been infected with Duuzer, and used as command and control (C&C) servers for Duuzer.

Related Reading: North Korea Suspected of Using Zero-Day to Attack South

Related Reading: North Korea Suspected of Hacking Seoul Subway Operator

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.