Researchers at Symantec have just unveiled yet another sophisticated backdoor, currently targeting South Korean organizations. The threat seeks to obtain full control over the infected systems and can execute a number of malicious operations.
Researches have named the backdoor Duuzer (Backdoor.Duuzer) and have discovered that it is linked to two other malware pieces – W32.Brambul and Backdoor.Joanap. All three are seeking to compromise enterprises in the manufacturing industries situated in this particular part of the world. However, the backdoors may easily target other regions as well.
Even though the malware was just reported on October 26, analysis based on the indicators of compromise (IoC) indicates that the threat has been around since July or earlier this year.
There’s also solid evidence that Duuzer doesn’t act on its own. The backdoor’s authors are suspected to spread two other malicious threats with backdoor capabilities – W32.Brambul and Backdoor.Joanap. The latter are most likely spread to download extra payloads and spy on the exploited systems.
What Do We Know about Duuzer So Far?
The expert team at Symantec has uncovered that Duuzer is crafted to work on both 32-bit and 64-bit computers. Not only the backdoor affects both system types, but it is also able to identify whether the infected machine is virtual or not. It can also detect if the virtual machine was made by Virtual Box or VMware. If the target is indeed a virtual machine, the attack is stopped. Thanks to this capability, the backdoor can evade detection by security researchers running virtual machines for research purposes.
The exact distribution path of Duuzer is not clear yet. Chances are the threat is being spread via spear phishing emails and watering hole attacks.
Are You Familiar with What a Watering Hole Attack Is?
Basically, a watering hole attack is a security exploit that seeks to compromise a precise group of consumers by striking websites that the group is visiting regularly. The end goal is quite obvious – infecting the targets’ computers and obtaining remote access to the networks at the victims’ place of employment
The computer attack strategy has been identified in 2012 by RSA Security. The strategy can be quite efficient – we all visit our favorite pages on a regular, daily basis. Even though we can be quite smart and laugh at people that fall for phishing schemes, we could still become malware preys by simply jumping to a beloved page.
What are Brambul and Joanap?
As already mentioned, the Duuzer attack is linked to two other malicious threats.
W32.Brambul is a worm type of malware. It is distributed from one machine to the next by relying on brute-force attacks aimed at the Server Message Block protocol. This type of protocol is applied to provide shared access to files, printers and serial ports. The worm can also connect to random IP addresses. Once executed, Brambul creates a network share and grants cyber criminals access to the system drive. Then, it sends an email with details and login credentials to a preconfigured address. The threat is also observed to download other malware.
Backdoor.Joanap is dropped together with Brambul. It is designed to open a backdoor and send specific files to the hackers. It can also download and run files, and execute or terminate processes.
Researchers have unveiled that the three malware actors can be employed to work together. Machines infected with the Brambul backdoor were also compromised by Duuzer. Also, they were used as command & control servers for the Duuzer attack.
How Can I Increase My Employees’ Safety?
There’s no single formula. Malware authors are constantly figuring out new ways to sneak into targeted organizations. The infection usually starts by attacking the ‘weakest links’. Make sure to educate yourself, your employees and even your employers, if they haven’t taken any steps towards securing their data.
- Make sure to use additional firewall protection. Downloading a second firewall (like ZoneAlarm, for example) is an excellent solution for any potential intrusions.
- Make sure that your programs have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
- Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
- Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
- Disable File Sharing – it is recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
- Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
- If you see a service or a process that is external and not Windows critical and is being exploited by hackers (Like Flash Player) disable it until there is an update that fixes the exploit.
- Make sure always to update the critical security patches for your software and OS.
- Configure your mail server to block out and delete suspicious file attachment containing emails.
- If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
- Make sure to educate all of the users on the network never to open suspicious file attachments, show them examples.
- Employ a virus-scanning extension in your browser that will scan all the downloaded files on your computer.
- Turn off any non-needed wireless services, like Infrared ports or Bluetooth – hackers love to use them to exploit devices. In case you use Bluetooth, make sure that you monitor all of the unauthorized devices that prompt you to pair with them and decline and investigate any suspicious ones.
- Employ a virus-scanning extension in your browser that will scan all the downloaded files on your computer.
- Employ a powerful anti-malware solution to protect yourself from any future threats automatically.