Security Experts:

"Duuzer" Trojan Used to Target South Korean Organizations

Malicious actors have been using a backdoor Trojan dubbed by researchers “Duuzer” to steal valuable information from organizations in South Korea and elsewhere, Symantec reported on Monday.

According to the security firm, Duuzer has mainly been used in targeted attacks aimed at the manufacturing industry in South Korea. The threat gives attackers remote access to the infected devices, allowing them to collect system information, access and modify files, upload and download files, and execute commands.

Symantec discovered the malware, which it detects as Backdoor.Duuzer, on August 21, but based on the indicators of compromise (IoC) provided by the company, the threat appears to have been around since at least July 20.

It’s currently unclear how the malware is being distributed, but experts believe the attackers are relying on spear phishing emails and watering hole attacks.

The Trojan, designed to work on both 32-bit and 64-bit systems, checks for the presence of VMware and Virtualbox virtual machines to ensure that it’s not being analyzed by researchers before performing its malicious routines. Another method used to avoid detection involves renaming the malware after an existing legitimate piece of software that is configured to run on startup.

“The attackers appear to be manually running commands through the back door on affected computers. In one case, we observed the attackers creating a camouflaged version of their malware, and in another, we saw them attempting to, but failing to deactivate Symantec Endpoint Protection (SEP),” Symantec said in a blog post.

The threat actors behind Duuzer appear to be responsible for two other pieces of malware that have been making the rounds in South Korea. These threats, detected as W32.Brambul and Backdoor.Joanap, are used by the attackers to download additional payloads and conduct reconnaissance on infected machines.

Brambul is a worm that spreads from one computer to another by relying on brute-force attacks aimed at the Server Message Block (SMB) protocol, which is normally used for providing shared access to files, printers, and serial ports. Brambul is designed to connect to random IP addresses and authenticate through SMB using common passwords, such as “password,” “login,” “123123,” “abc123” and “iloveyou.”

Once it infects a device, the malware creates a network share to provide the attackers access to the system drive, after which it sends an email containing the computer’s details and login credentials to a preconfigured address. In some cases, the threat also downloads other malicious elements.

Joanap, which is dropped alongside Brambul, opens a backdoor on the infected system, sends specific files to the attackers, downloads and executes files, and executes or terminates processes.

According to Symantec, Duuzer is associated with both Joanap and Brambul. Experts discovered that Brambul-infected computers have also been infected with Duuzer, and used as command and control (C&C) servers for Duuzer.

Related Reading: North Korea Suspected of Using Zero-Day to Attack South

Related Reading: North Korea Suspected of Hacking Seoul Subway Operator

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.