New Backdoor Trojan Duuzer is Targeting South Korean Industries

Attacks through backdoor Trojans are increasing rapidly. Recently, team of security experts has unveiled Duuzer army of backdoor Trojans.  Like other malware, duuzer allows cyber crooks to remote access and control the infected systems.

duuzer-trojan-symantec-south-korean

“Duuzer” was developed to steal valuable details of South Korean Organisations. This code can infect 32-bit and 64-bit of windows PCs (running Windows 7/ Vista / XP).

How Trojan Duuzer affects the system

Duuzer allows hacker to command and control the compromised system and gather below mentioned information of companies-

  • Gather system, drive and operating system details.
  • Allow hackers to create customize and finish any running process.
  • Modify access or delete the data of the infected system.
  • Prompt other malware to download into the system.
  • Change the date and time of stored files.
  • Runs malicious commands
  • Steal sensitive and valuable information from the system.

How Duuzer attacks

Duuzer enters the systems through Spear phishing and Watering Hole Attacks (by exploiting the security of the systems).  It can even infect the visitors of the sites.  As Duuzer gets installed in the PCs, it verifies whether it has been analyzed by security software or not.  After verification, Trojan changes the existing software configuration of the systems and uses them to spread across the system. After spreading in the whole system, it allows hacker to command the system and gather all the relevant information.

Along with this nasty backdoor Trojan, other malware codes are also found in South Korean organization’s machines named ‘Brambul’ Worm and ‘Joanap’ Trojan. Attackers have used dropper to insert Brambul worm and Joanap stealthy Trojan. Both malicious codes work together and used to log and monitor the compromised systems from the remote location, but it is still not cleared yet how they distribute dropper in the systems.

Brambul uses brute-force attack through the Server Message Block (SMB) protocol to spread from one system to another. After infecting the system, Brambul connects to arbitrary IP addresses of the local server and validate itself by using SBM common passwords.

Alongside SMB, this malicious code creates network sharing of the infected system and sends all the system and login details to a given email address.

What is the connection among Duuzer, Brambul and Joanap?

Brambul is used to insert a malware piece (either duuzer or joanpan) on infected machines. Barambul is used as command-and-control servers for Duuzer, while Joanap allows Duuzer to register itself as a legitimate OS service.  This amalgam of three stubborn malware can perform various tasks such as-

  • Sends particular data to the attackers.
  • Modifies, Saves or delete files.
  • Download dubious files and execute them.
  • It can start or hold the terminating processes.
  • Propagate commands, received from the C&C server.

Prevention tips

Increasing economy growth of South Korean organizations are attracting cyber-criminals and Duuzer is the recent example of it. But unlike other stubborn and dangerous threats, this small army of Duuzer, Brambul and Joanap cannot harm the organization’s data severely. But still it is recommended for businesses to safeguard their companies by using authentic Endpoint Security Solutions and follow the best security practices to avoid the potential risks. Use McAfee Internet Security and keep your PC, Android and Mac safe from online threats. If you have any technical queries with McAfee; call now at our McAfee antivirus support number +1-800-243-0051.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s