You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>DESTOVER</strong> “DUUZER” BACKDOORS, MAR-OCT 2015 , JAN 2016<br />
The Duuzer variation of Destover backdoors have evolved quite a bit from the original KorDllbot basis. They use<br />
more in-code obfuscation and are somewhat more complex. For example, string references are stored as encoded<br />
local variables in special functions. Access to these variables is obtained by calling the containing function with an<br />
offset into the variable blob, and the function decodes the correct string.<br />
Similar to the “RandomDomain” and “e4004c1f” these backdoors use specially crafted SSL headers to initiate<br />
communication with their C&C servers, but the encryption is custom. The command scheme is also somewhat<br />
unique – instead of a digit to indicate which function to perform, these backdoors use binary multibyte command<br />
statements.<br />
There are several sub variants of Duuzer. One sample . (sha256<br />
f31d6feacf2ecece13696dcc2da15d15d29028822011b45045f9efa8a0522098) appears to be a predecessor and<br />
somewhat simpler than later samples. Later variants include the “live” and the “naver” versions - based on the<br />
server name they use in their faked SSL handshake, either “login.live.com” or “ad.naver.com”. The latest versions<br />
we have seen – compiled January 2016 – don’t even bother with these strings.<br />
As previously mentioned, Duuzer has been detailed in a report from Symantec (3). This report also mentions the<br />
connection to the Joanap malware family, and details examples of live usage of the “CMXE” command line<br />
execution mentioned before.<br />
This variant has been seen as the payload of trojanized HWPX documents exploiting the CVE-2015-6585<br />
vulnerability as documented by FireEye (6). Decoy documents include invitations to events like Korean Aerospace<br />
Systems Engineering 2015, and Aeroseminar 2015; a Korean Aerospace Weapon System Development Seminar<br />
(below). An email found on VirusTotal shows that an exploited document containing this exact decoy was<br />
attempted sent to the Korean Atomic Energy Research Institute (KAERI).