Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

“Duuzer” Trojan Used to Target South Korean Organizations

Malicious actors have been using a backdoor Trojan dubbed by researchers “Duuzer” to steal valuable information from organizations in South Korea and elsewhere, Symantec reported on Monday.

Malicious actors have been using a backdoor Trojan dubbed by researchers “Duuzer” to steal valuable information from organizations in South Korea and elsewhere, Symantec reported on Monday.

According to the security firm, Duuzer has mainly been used in targeted attacks aimed at the manufacturing industry in South Korea. The threat gives attackers remote access to the infected devices, allowing them to collect system information, access and modify files, upload and download files, and execute commands.

Symantec discovered the malware, which it detects as Backdoor.Duuzer, on August 21, but based on the indicators of compromise (IoC) provided by the company, the threat appears to have been around since at least July 20.

It’s currently unclear how the malware is being distributed, but experts believe the attackers are relying on spear phishing emails and watering hole attacks.

The Trojan, designed to work on both 32-bit and 64-bit systems, checks for the presence of VMware and Virtualbox virtual machines to ensure that it’s not being analyzed by researchers before performing its malicious routines. Another method used to avoid detection involves renaming the malware after an existing legitimate piece of software that is configured to run on startup.

“The attackers appear to be manually running commands through the back door on affected computers. In one case, we observed the attackers creating a camouflaged version of their malware, and in another, we saw them attempting to, but failing to deactivate Symantec Endpoint Protection (SEP),” Symantec said in a blog post.

The threat actors behind Duuzer appear to be responsible for two other pieces of malware that have been making the rounds in South Korea. These threats, detected as W32.Brambul and Backdoor.Joanap, are used by the attackers to download additional payloads and conduct reconnaissance on infected machines.

Brambul is a worm that spreads from one computer to another by relying on brute-force attacks aimed at the Server Message Block (SMB) protocol, which is normally used for providing shared access to files, printers, and serial ports. Brambul is designed to connect to random IP addresses and authenticate through SMB using common passwords, such as “password,” “login,” “123123,” “abc123” and “iloveyou.”

Once it infects a device, the malware creates a network share to provide the attackers access to the system drive, after which it sends an email containing the computer’s details and login credentials to a preconfigured address. In some cases, the threat also downloads other malicious elements.

Joanap, which is dropped alongside Brambul, opens a backdoor on the infected system, sends specific files to the attackers, downloads and executes files, and executes or terminates processes.

According to Symantec, Duuzer is associated with both Joanap and Brambul. Experts discovered that Brambul-infected computers have also been infected with Duuzer, and used as command and control (C&C) servers for Duuzer.

Related Reading: North Korea Suspected of Using Zero-Day to Attack South

Related Reading: North Korea Suspected of Hacking Seoul Subway Operator

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...