# Endpoint Protection **[symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers](https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers)** Oct 26, 2015 09:01 AM [A L Johnson](https://community.broadcom.com/symantecenterprise/network/members/profile?UserKey=cbd453fd-3ce1-4c47-af77-d746256f9bc4) Symantec has found that South Korea is being impacted by an active back door Trojan, [detected as Backdoor.Duuzer. While the malware attack has not been exclusively targeting](https://www.symantec.com/security_response/writeup.jsp?docid=2015-082113-4423-99) the region, it has been focusing on the South Korean manufacturing industry. Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data. It’s clearly the work of skilled attackers looking to obtain valuable information. There is also evidence to suggest that the actors behind Duuzer are spreading two other threats, detected as [W32.Brambul and](https://www.symantec.com/security_response/writeup.jsp?docid=2015-051114-3802-99) [Backdoor.Joanap, to target more organizations in](https://www.symantec.com/security_response/writeup.jsp?docid=2015-092507-0410-99) South Korea. Brambul and Joanap appear to be used to download extra payloads and carry out reconnaissance on infected computers. ----- **Duuzer: An advanced back door threat** Duuzer is an ongoing threat that is being delivered in targeted attacks. While the exact distribution method is unknown, it’s likely that the malware is spreading through spearphishing emails or watering-hole attacks. The Trojan has been designed to work on both 32-bit and 64-bit computers. It also detects whether the computer it has infected is a virtual machine that was made using Virtual Box or VMware. If this is the case, then Duuzer stops executing. This allows Duuzer to attempt to evade detection from security researchers who are running virtual machines that are designed to be compromised with malware for analysis. Once Duuzer infects a computer, it opens a back door, giving the attackers access to almost everything. The attackers can securely connect to the compromised computer through the threat and perform the following activities: Gather system and drive information Create, enumerate, and end processes Access, modify, and delete files Upload and download files Change the time attributes of files Execute commands The Duuzer attackers have been observed trying to disguise their malware on an infected computer. They do this by identifying what software is installed and runs on startup, then renaming their malware to a similar title of an existing, legitimate program. Based on our analysis of Duuzer, the attackers behind the threat appear to be experienced and have knowledge about security researchers’ analysis techniques. Their motivation seems to be obtaining valuable information from their targets’ computers. The attackers appear to be manually running commands through the back door on affected computers. In one case, we observed the attackers creating a camouflaged version of their malware, and in another, we saw them attempting, but failing, to deactivate Symantec Endpoint Protection (SEP). **Duuzer in disguise** The attackers began by querying the Run key in the registry, redirecting the output to a temporary file: cmd.exe /c "reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" > C:\Windows\TEMP\BP25B4.tmp" 2>&1 They narrowed their query down to a specific user’s Run key: ----- cmd.exe /c reg query HKEY_USERS\ [REMOVED]\Software\Microsoft\Windows\CurrentVersion\Run" > C:\Windows\TEMP\BP6380.tmp" 2>&1 The attackers discovered that a particular program was installed on the affected computer and decided to mimic that software. They created a new folder with the same name as the identified application, but in a different location. They then copied their malware into that folder: cmd.exe /c "md C:\USER_PROFILE\AppData\Local\[REMOVED]" The attackers listed out the attributes for the file that they attempted to mimic. They then changed the attributes of their malicious file to match those of the clean one. cmd.exe /c "dir /a "C:\Program Files (x86)\[REMOVED]\[REMOVED] AGENT\ [REMOVED].exe" > C:\Windows\TEMP\BPD0B6.tmp" 2>&1 Finally, the attackers created a new registry entry in the Run subkey to load their malware. Again, they used a similar name to the legitimate application to mimic it. cmd.exe /c "reg add "HKEY_USERS\ [REMOVED]\Software\Microsoft\Windows\CurrentVersion\Run" /v " [REMOVED]Agent" /t REG_SZ /d "\"C:\USER_PROFILE\AppData\Local\[REMOVED]\ [REMOVED].exe\"" /f > C:\Windows\TEMP\BPA62F.tmp" 2>&1 The attackers launched the camouflaged version of the malware, ended the old instance process, and deleted the first instance of the malware. At this point, having blended into the victim process, the attackers began to explore the local network using standard network enumeration tools. **Failing to deactivate Symantec Endpoint Protection** On a separate computer, during their network-mapping exercise, the attackers were unable to bypass SEP detections and attempted to disable the application. To do this, they installed an API-hooking tool in an effort to discover how the security application was interfacing with Windows and deactivate it. However, they were unable to stop SEP’s monitoring activities. **The Brambul/Joanap connection** During our research, we found a dropper that infects computers with a worm known as Brambul and a back door Trojan called Joanap. It’s unclear how the dropper is being distributed, but it’s likely that it comes from malicious emails. Our analysis into Duuzer indicates that the Trojan is associated with both Brambul and Joanap. Computers infected with Brambul have been used as command-and-control (C&C) servers for Duuzer and have also been compromised with Duuzer. ----- The Brambul worm uses brute-force attacks to propagate. The threat connects to random IP addresses through the Server Message Block (SMB) protocol using a hardcoded list of user names and passwords. The passwords are quite common or easy to guess, such as “123123”, “abc123”, “computer,” “iloveyou,” ”login”, and “password”. After Brambul compromises a computer, it creates a net share to give attackers access to the system drive (usually the C: drive). It sends a message with the computer’s details and login credentials to a hardcoded email address. Brambul’s variants may be able to drop additional threats. Joanap is dropped alongside Brambul and registers itself as a service with the display name “SmartCard Protector.” This threat can open a back door, send specific files to the attackers, save or delete files, download and run executables, and launch or end processes. Joanap also sends commands and configuration data over an RC4-encrypted connection to other computers infected with these threats. These commands could include running or ending processes, moving or deleting files, and updating C&C details. **Mitigation** Duuzer, Brambul, and Joanap are just a small selection of many threats affecting South Korea. The nation has been impacted in high-profile, targeted campaigns over the last few years. According to the region’s National Computing & Information Agency (NCIA), there [have been more than 114,035 attacks targeting government agencies between 2011 and](http://www.zdnet.com/article/south-korea-suffers-110000-cyberattacks-in-five-years/) 2015 so far. The numerous malicious campaigns in the region highlight how attackers continue to see South Korea as an attractive target. Symantec recommends that users and businesses adhere to the following best practices to prevent their computers from being compromised with this malware: Change default user names and passwords [Avoid using common or easy-to-guess passwords. The Norton Security Center has](http://us.norton.com/dos-donts-passwords/article) advice on how to pick strong passwords. Ensure that the operating system and software is regularly updated to prevent known vulnerabilities from being exploited Don’t open suspicious emails. These messages typically distribute malware through malicious links and attachments. Keep security software up-to-date with the latest definitions **Protection** [Norton Security,](https://us.norton.com/) [Symantec Endpoint Protection, and other](https://www.symantec.com/endpoint-protection/) [Symantec security products](http://www.symantec.com/products-solutions/) protect users against these threats through the following detections: **Antivirus** ----- **Intrusion Prevention System** [System Infected: Backdoor.Joanap Activity](https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28867) We’ve also provided the indicators of compromise for Duuzer, Brambul, and Joanap, as follows: **Backdoor.Duuzer indicators of compromise** MD5 1205c4bd5d02782cc4e66dfa3fef749c 92d618db54690c6ae193f07a31d92098 3e6be312a28b2633c8849d3e95e487b5 41a6d7c944bd84329bd31bb07f83150a 7343f81a0e42ebf283415da7b3da253f 73471f41319468ab207b8d5b33b0b4be 84a3f8941bb4bf15ba28090f8bc0faec b04fabf3a7a710aafe5bc2d899c0fc2b e04792e8e0959e66499bfacb2a76802b 3a963e1de08c9920c1dfe923bd4594ff 51b3e2c7a8ad29f296365972c8452621 5f05a8f1e545457dbd42fe1329f79452 91e5a64826f75f74a5ae123abdf7cef5 9749a4b538022e2602945523192964ad 9ca7ec51a98c2b16fd7d9a985877a4ba bb6cbebd4ffd642d437afc605c32eca0 fb4caaaf1ac1df378d05111d810a833e 4b2d221deb0c8042780376cb565532f8 cd7a72be9c16c2ece1140bc461d6226d f032712aa20da98a1bbad7ae5d998767 f940a21971820a2fcf8433c28be1e967 71cdcc903f94f56c758121d0b442690f 0f844300318446a70c022f9487475490 SHA256 fd5a7e54cfdd3b3f32b44d8fdd845e62d6b86c0ddb550c544d659588d06ceaee 89b25f9a454240a3f52de9bf6f9a829d2b4af04a7d9e9f4136f920f7e372909b a01bd92c02c9ef7c4785d8bf61ecff734e990b255bba8e22d4513f35f370fd14 c327de2239034b6f6978884b33582ce97761bcc224239c955f62feebd01e5946 c7024cf43d285ec9671e8dc1eae87281a6ee6f28e92d69d94474efc2521f03ed 5a69bce8196b048f8b98f48c8f4950c8b059c43577e35d4af5f26c624140377c 477ca3e7353938f75032d04e232eb2c298f06f95328bca1a34fce1d8c9d12023 d57d772eefa6086b5c249efff01189cf4869c2b73007af63affc353474eaafcb ----- 4efeea9eeae3d668897206eeccb1444d542ea537ca5c2787f13dd5dadd0e6aaa a0a6d0e3af6e76264db1e0d4a4ad5745fff15eb2790938718b2c0988b9415b2b 5b28c86d7e581e52328942b35ece0d0875585fbb4e29378666d1af5be7f56b46 47181c973a8a69740b710a420ea8f6bf82ce8a613134a8b080b64ce26bb5db93 fb6d81f4165b41febc739358aeba0fe15048e1d445296e8df9104875be30f9a7 4a6aba1c182dd8304bac91cc9e1fc39291d78044995f559c1d3bce05afd19982 7099093177094ea5cc3380b42c2556ed6e8dd06a2f537fa6dd275e5cc1df9c9a 90d8643e7e52f095ed59ed739167421e45958984c4c9186c4a025e2fd2be668b 66df7660ddae300b1fcf1098b698868dd6f52db5fcf679fc37a396d28613e66b 37f652e2060066a1c2c317195573a334416f5a9b9933cfb1ece55bea8048d80f 6b71465e59eb1e266d47efeaecc256a186d3e08f570bffcfd5ac55e635c67c2a d2e03115ef1525f82d70fc691f0360e318ade176a3789cf36969630d9af6901a 912905ec9d839ca8dfd6771ff5c17aec3516f9ad159a9d627b81261055095fbf 4cf3a7e17dc4628725dd34b8e98238ed0a2df2dc83189db98d85a38f73706fa5 **W32.Brambul indicators of compromise** MD5 1c532fad2c60636654d4c778cfe10408 1db2dced6dfa04ed75b246ff2784046a 3844ec6ec70347913bd1156f8cd159b8 40878869de3fc5f23e14bc3f76541263 95a5f91931723a65dcd4a3937546da34 99d9f156c73bd69d5df1a1fe1b08c544 a1ad82988af5d5b2c4003c42a81dda17 ca4c2009bf7ff17d556cc095a4ce06dd f273d1283364625f986050bdf7dec8bb SHA256 c029ae20c314d7a0a2618f38ced03bac99e2ff78a85fe8c8f8de8555a8d153ab 1da344e5e55bef4307e257edd6f1e14835bdae17538a74afa5fc12c276666112 9c3e13e93f68970f2844fb8f1f87506f4aa6e87918449e75a63c1126a240c70e 230c2727e26467e16b5cf3ca37ecb8436ee5df41bfc4cd04062396642f9de352 d558bb63ed9f613d51badd8fea7e8ea5921a9e31925cd163ec0412e0d999df58 cbb174815739c679f694e16484a65aa087019272f94bcbf086a92817b4e4154b 61f46b86741c95336cdac3f07f42b7df3e84695968534be193e98ea76d1070d1 1dea57b33a48c79743481371a19e17f68ae768a26abc352f21560308698c786f 8df658cba8f8cf0e2b85007f57d79286eec6309e7a0955dd48bcd15c583a9650 **Backdoor.Joanap indicators of compromise** MD5 fd59af723b7a4044ab41f1b2a33350d6 ----- 4613f51087f01715bf9132c704aea2c2 074dc6c0fa12cadbc016b8b5b5b7b7c5 27a3498690d6e86f45229acd2ebc0510 7a83c6cd46984a84c40d77e9acff28bc 1d8f0e2375f6bc1e045fa2f25cd4f7e0 304cea78b53d8baaa2748c7b0bce5dd0 a1ad82988af5d5b2c4003c42a81dda17 SHA256 9a179e1ca07c1f16c4c1c4ee517322d390cbab34b5d123a876b38d08da1face4 a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717 7650d8c0874aa7d1f2a5a7d255112976e9f38ffad8b7cdda76d0baa8f4729203 5b10cfb236d56a0f3ddaa5e9463ebf307b1d2e0624b0f1c6ece19213804b6826 0622481f1c1e246289014e9fe3497e69f06ed8b3a327eda86e4442a46790dd2e 4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e cbf5f579ff16206b17f039c2dc0fa35704ec01ede4ba18ecb1fc2c7b8217e54f 61f46b86741c95336cdac3f07f42b7df3e84695968534be193e98ea76d1070d1 -----