REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography [source: trendmicro]

REDBALDKNIGHT, also known as BRONZE BUTLER and Tick, is a cyberespionage group known to target Japanese organizations such as government agencies (including defense) as well as those in biotechnology, electronics manufacturing, and industrial chemistry. Their campaigns employ the Daserf backdoor (detected by Trend Micro as BKDR_DASERF, otherwise known as Muirim and Nioupale) that has four main capabilities: execute shell commands, download and upload data, take screenshots, and log keystrokes.

Our recent telemetry, however, indicates that variants of Daserf were not only used to spy on and steal from Japanese and South Korean targets, but also against Russian, Singaporean, and Chinese enterprises. We also found various versions of Daserf that employ different techniques and use steganography—embedding codes in unexpected mediums or locations (i.e., images)—to conceal themselves better.

Like many cyberespionage campaigns, REDBALDKNIGHT’s attacks are intermittent but drawn-out. In fact, REDBALDKNIGHT has been zeroing in on Japanese organizations as early as 2008—at least based on the file properties of the decoy documents they’ve been sending to their targets. The specificity of their targets stems from the social engineering tactics used. The decoy documents they use in their attack chain are written in fluent Japanese, and particularly, created via the Japanese word processor Ichitaro. One of the decoy documents, for instance, was about the “plan of disaster prevention in heisei 20” (Heisei is the current/modern era in Japan).

For more, click here.