{
	"id": "026dae4a-8989-49eb-8b88-73ef3d280963",
	"created_at": "2026-04-06T00:12:33.159037Z",
	"updated_at": "2026-04-10T13:12:00.752423Z",
	"deleted_at": null,
	"sha1_hash": "54bb0ae5c94dba38f4d61abc46504c4ae4bb341c",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 257782,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-02 11:29:06 UTC\r\nSymantec has found that South Korea is being impacted by an active back door Trojan, detected as\r\nBackdoor.Duuzer. While the malware attack has not been exclusively targeting the region, it has been focusing on\r\nthe South Korean manufacturing industry. Duuzer is a well-designed threat that gives attackers remote access to\r\nthe compromised computer, downloads additional files, and steals data. It’s clearly the work of skilled attackers\r\nlooking to obtain valuable information.\r\nThere is also evidence to suggest that the actors behind Duuzer are spreading two other threats, detected as\r\nW32.Brambul and Backdoor.Joanap, to target more organizations in South Korea. Brambul and Joanap appear to\r\nbe used to download extra payloads and carry out reconnaissance on infected computers.\r\nDuuzer: An advanced back door threat\r\nDuuzer is an ongoing threat that is being delivered in targeted attacks. While the exact distribution method is\r\nunknown, it’s likely that the malware is spreading through spear-phishing emails or watering-hole attacks.\r\nThe Trojan has been designed to work on both 32-bit and 64-bit computers. It also detects whether the computer it\r\nhas infected is a virtual machine that was made using Virtual Box or VMware. If this is the case, then Duuzer\r\nstops executing. This allows Duuzer to attempt to evade detection from security researchers who are running\r\nvirtual machines that are designed to be compromised with malware for analysis.\r\nOnce Duuzer infects a computer, it opens a back door, giving the attackers access to almost everything. The\r\nattackers can securely connect to the compromised computer through the threat and perform the following\r\nactivities:\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-\r\n9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 6\n\nGather system and drive information\r\nCreate, enumerate, and end processes\r\nAccess, modify, and delete files\r\nUpload and download files\r\nChange the time attributes of files\r\nExecute commands\r\nThe Duuzer attackers have been observed trying to disguise their malware on an infected computer. They do this\r\nby identifying what software is installed and runs on startup, then renaming their malware to a similar title of an\r\nexisting, legitimate program.\r\nBased on our analysis of Duuzer, the attackers behind the threat appear to be experienced and have knowledge\r\nabout security researchers’ analysis techniques. Their motivation seems to be obtaining valuable information from\r\ntheir targets’ computers.\r\nThe attackers appear to be manually running commands through the back door on affected computers. In one case,\r\nwe observed the attackers creating a camouflaged version of their malware, and in another, we saw them\r\nattempting, but failing, to deactivate Symantec Endpoint Protection (SEP).\r\nDuuzer in disguise\r\nThe attackers began by querying the Run key in the registry, redirecting the output to a temporary file:\r\ncmd.exe /c \"reg query \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" \u003e\r\nC:\\Windows\\TEMP\\BP25B4.tmp\" 2\u003e\u00261\r\nThey narrowed their query down to a specific user’s Run key:\r\ncmd.exe /c \"reg query \"HKEY_USERS\\[REMOVED]\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\n\u003e C:\\Windows\\TEMP\\BP6380.tmp\" 2\u003e\u00261\r\nThe attackers discovered that a particular program was installed on the affected computer and decided to mimic\r\nthat software. They created a new folder with the same name as the identified application, but in a different\r\nlocation. They then copied their malware into that folder:\r\ncmd.exe /c \"md C:\\USER_PROFILE\\AppData\\Local\\[REMOVED]\"\r\nThe attackers listed out the attributes for the file that they attempted to mimic. They then changed the attributes of\r\ntheir malicious file to match those of the clean one.\r\ncmd.exe /c \"dir /a \"C:\\Program Files (x86)\\[REMOVED]\\[REMOVED] AGENT\\[REMOVED].exe\" \u003e\r\nC:\\Windows\\TEMP\\BPD0B6.tmp\" 2\u003e\u00261\r\nFinally, the attackers created a new registry entry in the Run subkey to load their malware. Again, they used a\r\nsimilar name to the legitimate application to mimic it.\r\ncmd.exe /c \"reg add \"HKEY_USERS\\[REMOVED]\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v\r\n\"[REMOVED]Agent\" /t REG_SZ /d \"\\\"C:\\USER_PROFILE\\AppData\\Local\\[REMOVED]\\\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-\r\n9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 6\n\n[REMOVED].exe\\\"\" /f \u003e C:\\Windows\\TEMP\\BPA62F.tmp\" 2\u003e\u00261\r\nThe attackers launched the camouflaged version of the malware, ended the old instance process, and deleted the\r\nfirst instance of the malware. At this point, having blended into the victim process, the attackers began to explore\r\nthe local network using standard network enumeration tools.\r\nFailing to deactivate Symantec Endpoint Protection\r\nOn a separate computer, during their network-mapping exercise, the attackers were unable to bypass SEP\r\ndetections and attempted to disable the application. To do this, they installed an API-hooking tool in an effort to\r\ndiscover how the security application was interfacing with Windows and deactivate it. However, they were unable\r\nto stop SEP’s monitoring activities.\r\nThe Brambul/Joanap connection\r\nDuring our research, we found a dropper that infects computers with a worm known as Brambul and a back door\r\nTrojan called Joanap. It’s unclear how the dropper is being distributed, but it’s likely that it comes from malicious\r\nemails. Our analysis into Duuzer indicates that the Trojan is associated with both Brambul and Joanap. Computers\r\ninfected with Brambul have been used as command-and-control (C\u0026C) servers for Duuzer and have also been\r\ncompromised with Duuzer.\r\nThe Brambul worm uses brute-force attacks to propagate. The threat connects to random IP addresses through the\r\nServer Message Block (SMB) protocol using a hardcoded list of user names and passwords. The passwords are\r\nquite common or easy to guess, such as “123123”, “abc123”, “computer,” “iloveyou,” ”login”, and “password”.\r\nAfter Brambul compromises a computer, it creates a net share to give attackers access to the system drive (usually\r\nthe C: drive). It sends a message with the computer’s details and login credentials to a hardcoded email address.\r\nBrambul’s variants may be able to drop additional threats.\r\nJoanap is dropped alongside Brambul and registers itself as a service with the display name “SmartCard\r\nProtector.” This threat can open a back door, send specific files to the attackers, save or delete files, download and\r\nrun executables, and launch or end processes.\r\nJoanap also sends commands and configuration data over an RC4-encrypted connection to other computers\r\ninfected with these threats. These commands could include running or ending processes, moving or deleting files,\r\nand updating C\u0026C details.\r\nMitigation\r\nDuuzer, Brambul, and Joanap are just a small selection of many threats affecting South Korea. The nation has\r\nbeen impacted in high-profile, targeted campaigns over the last few years. According to the region’s National\r\nComputing \u0026 Information Agency (NCIA), there have been more than 114,035 attacks targeting government\r\nagencies between 2011 and 2015 so far. The numerous malicious campaigns in the region highlight how attackers\r\ncontinue to see South Korea as an attractive target.\r\nSymantec recommends that users and businesses adhere to the following best practices to prevent their computers\r\nfrom being compromised with this malware:\r\nChange default user names and passwords\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-\r\n9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 6\n\nAvoid using common or easy-to-guess passwords. The Norton Security Center has advice on how to pick\r\nstrong passwords.\r\nEnsure that the operating system and software is regularly updated to prevent known vulnerabilities from\r\nbeing exploited\r\nDon’t open suspicious emails. These messages typically distribute malware through malicious links and\r\nattachments.\r\nKeep security software up-to-date with the latest definitions\r\nProtection\r\nNorton Security, Symantec Endpoint Protection, and other Symantec security products protect users against these\r\nthreats through the following detections:\r\nAntivirus\r\nBackdoor.Duuzer\r\nW32.Brambul\r\nBackdoor.Joanap\r\nIntrusion Prevention System\r\nSystem Infected: Backdoor.Joanap Activity\r\nWe’ve also provided the indicators of compromise for Duuzer, Brambul, and Joanap, as follows:\r\nBackdoor.Duuzer indicators of compromise\r\nMD5\r\n1205c4bd5d02782cc4e66dfa3fef749c\r\n92d618db54690c6ae193f07a31d92098\r\n3e6be312a28b2633c8849d3e95e487b5\r\n41a6d7c944bd84329bd31bb07f83150a\r\n7343f81a0e42ebf283415da7b3da253f\r\n73471f41319468ab207b8d5b33b0b4be\r\n84a3f8941bb4bf15ba28090f8bc0faec\r\nb04fabf3a7a710aafe5bc2d899c0fc2b\r\ne04792e8e0959e66499bfacb2a76802b\r\n3a963e1de08c9920c1dfe923bd4594ff\r\n51b3e2c7a8ad29f296365972c8452621\r\n5f05a8f1e545457dbd42fe1329f79452\r\n91e5a64826f75f74a5ae123abdf7cef5\r\n9749a4b538022e2602945523192964ad\r\n9ca7ec51a98c2b16fd7d9a985877a4ba\r\nbb6cbebd4ffd642d437afc605c32eca0\r\nfb4caaaf1ac1df378d05111d810a833e\r\n4b2d221deb0c8042780376cb565532f8\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-\r\n9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 6\n\ncd7a72be9c16c2ece1140bc461d6226d\r\nf032712aa20da98a1bbad7ae5d998767\r\nf940a21971820a2fcf8433c28be1e967\r\n71cdcc903f94f56c758121d0b442690f\r\n0f844300318446a70c022f9487475490\r\nSHA256\r\nfd5a7e54cfdd3b3f32b44d8fdd845e62d6b86c0ddb550c544d659588d06ceaee\r\n89b25f9a454240a3f52de9bf6f9a829d2b4af04a7d9e9f4136f920f7e372909b\r\na01bd92c02c9ef7c4785d8bf61ecff734e990b255bba8e22d4513f35f370fd14\r\nc327de2239034b6f6978884b33582ce97761bcc224239c955f62feebd01e5946\r\nc7024cf43d285ec9671e8dc1eae87281a6ee6f28e92d69d94474efc2521f03ed\r\n5a69bce8196b048f8b98f48c8f4950c8b059c43577e35d4af5f26c624140377c\r\n477ca3e7353938f75032d04e232eb2c298f06f95328bca1a34fce1d8c9d12023\r\nd57d772eefa6086b5c249efff01189cf4869c2b73007af63affc353474eaafcb\r\n4efeea9eeae3d668897206eeccb1444d542ea537ca5c2787f13dd5dadd0e6aaa\r\na0a6d0e3af6e76264db1e0d4a4ad5745fff15eb2790938718b2c0988b9415b2b\r\n5b28c86d7e581e52328942b35ece0d0875585fbb4e29378666d1af5be7f56b46\r\n47181c973a8a69740b710a420ea8f6bf82ce8a613134a8b080b64ce26bb5db93\r\nfb6d81f4165b41febc739358aeba0fe15048e1d445296e8df9104875be30f9a7\r\n4a6aba1c182dd8304bac91cc9e1fc39291d78044995f559c1d3bce05afd19982\r\n7099093177094ea5cc3380b42c2556ed6e8dd06a2f537fa6dd275e5cc1df9c9a\r\n90d8643e7e52f095ed59ed739167421e45958984c4c9186c4a025e2fd2be668b\r\n66df7660ddae300b1fcf1098b698868dd6f52db5fcf679fc37a396d28613e66b\r\n37f652e2060066a1c2c317195573a334416f5a9b9933cfb1ece55bea8048d80f\r\n6b71465e59eb1e266d47efeaecc256a186d3e08f570bffcfd5ac55e635c67c2a\r\nd2e03115ef1525f82d70fc691f0360e318ade176a3789cf36969630d9af6901a\r\n912905ec9d839ca8dfd6771ff5c17aec3516f9ad159a9d627b81261055095fbf\r\n4cf3a7e17dc4628725dd34b8e98238ed0a2df2dc83189db98d85a38f73706fa5\r\nW32.Brambul indicators of compromise\r\nMD5\r\n1c532fad2c60636654d4c778cfe10408\r\n1db2dced6dfa04ed75b246ff2784046a\r\n3844ec6ec70347913bd1156f8cd159b8\r\n40878869de3fc5f23e14bc3f76541263\r\n95a5f91931723a65dcd4a3937546da34\r\n99d9f156c73bd69d5df1a1fe1b08c544\r\na1ad82988af5d5b2c4003c42a81dda17\r\nca4c2009bf7ff17d556cc095a4ce06dd\r\nf273d1283364625f986050bdf7dec8bb\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-\r\n9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 5 of 6\n\nSHA256\r\nc029ae20c314d7a0a2618f38ced03bac99e2ff78a85fe8c8f8de8555a8d153ab\r\n1da344e5e55bef4307e257edd6f1e14835bdae17538a74afa5fc12c276666112\r\n9c3e13e93f68970f2844fb8f1f87506f4aa6e87918449e75a63c1126a240c70e\r\n230c2727e26467e16b5cf3ca37ecb8436ee5df41bfc4cd04062396642f9de352\r\nd558bb63ed9f613d51badd8fea7e8ea5921a9e31925cd163ec0412e0d999df58\r\ncbb174815739c679f694e16484a65aa087019272f94bcbf086a92817b4e4154b\r\n61f46b86741c95336cdac3f07f42b7df3e84695968534be193e98ea76d1070d1\r\n1dea57b33a48c79743481371a19e17f68ae768a26abc352f21560308698c786f\r\n8df658cba8f8cf0e2b85007f57d79286eec6309e7a0955dd48bcd15c583a9650\r\nBackdoor.Joanap indicators of compromise\r\nMD5\r\nfd59af723b7a4044ab41f1b2a33350d6\r\n4613f51087f01715bf9132c704aea2c2\r\n074dc6c0fa12cadbc016b8b5b5b7b7c5\r\n27a3498690d6e86f45229acd2ebc0510\r\n7a83c6cd46984a84c40d77e9acff28bc\r\n1d8f0e2375f6bc1e045fa2f25cd4f7e0\r\n304cea78b53d8baaa2748c7b0bce5dd0\r\na1ad82988af5d5b2c4003c42a81dda17\r\nSHA256\r\n9a179e1ca07c1f16c4c1c4ee517322d390cbab34b5d123a876b38d08da1face4\r\na1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717\r\n7650d8c0874aa7d1f2a5a7d255112976e9f38ffad8b7cdda76d0baa8f4729203\r\n5b10cfb236d56a0f3ddaa5e9463ebf307b1d2e0624b0f1c6ece19213804b6826\r\n0622481f1c1e246289014e9fe3497e69f06ed8b3a327eda86e4442a46790dd2e\r\n4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e\r\ncbf5f579ff16206b17f039c2dc0fa35704ec01ede4ba18ecb1fc2c7b8217e54f\r\n61f46b86741c95336cdac3f07f42b7df3e84695968534be193e98ea76d1070d1\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=5b9850b9-0fdd-48a9-b595-9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-\r\n9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [],
	"ts_created_at": 1775434353,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54bb0ae5c94dba38f4d61abc46504c4ae4bb341c.pdf",
		"text": "https://archive.orkl.eu/54bb0ae5c94dba38f4d61abc46504c4ae4bb341c.txt",
		"img": "https://archive.orkl.eu/54bb0ae5c94dba38f4d61abc46504c4ae4bb341c.jpg"
	}
}