Symantec, a security firm, has found out that the South Korea has been targeted by an active back door Trojan, dubbed as Backdoor.Duuzer that provides an attacker remote access to the compromised computer, downloads additional files, and steals data.
Researchers from Symantec posted in its blog stating that Duuzer was especially focused on the South Korean manufacturing industry.
It is designed to work on both 32-bit and 64-bit computers. If Duuzer finds the infected computer is a virtual machine that was made using Virtual Box or VMWare, then it stops executing. It allows Duuzer to attempt to evade detection from security researchers who are running virtual machines that are designed to be compromised with malware for analysis.
Once Duuzer infects a computer, it opens a back door, giving the attackers access to almost everything. The attackers can get access to gather system and drive information, create, enumerate, and end processes, access, modify, and delete files, upload and download files, change the time attributes of files and execute commands.
“Based on our analysis of Duuzer, the attackers behind the threat appear to be experienced and have knowledge about security researchers’ analysis techniques. Their motivation seems to be obtaining valuable information from their targets’ computers,” the researchers wrote in the blog. There is also evidence to suggest that the actors behind Duuzer are spreading two other threats, detected as W32.Brambul and Backdoor.Joanap, to target more organizations in South Korea.”
The researcher said that the detected malwares Brambul and Joanap used to download extra payloads and carry out reconnaissance on infected computers. Although, the exact distribution method is still unknown, it is likely that the malware is spreading through spear-phishing emails or watering-hole attacks.
According to the researchers, Duuzer, Brambul, and Joanap are just a small selection of many threats affecting South Korea. The nation has been impacted in high-profile, targeted campaigns over the last few years.
In order to protect, Symantec recommends that users and businesses to change default user names and passwords and not to use common or easy-to-guess passwords, regularly update the operating system and software, don’t open suspicious emails.