⚠️ Overview

Daserf is a remote access trojan (RAT) first publicly documented by FireEye in a 2015 report analyzing Chinese state-sponsored cyberespionage operations, later attributed to the threat group APT17 (also tracked as DeputyDog). It falls under the backdoor category, designed for long-term persistent access and data exfiltration from targeted networks. The malware is distinct from commodity RATs because of its custom encryption and tailored C2 infrastructure, indicating development by a dedicated adversary with strategic espionage objectives.

🔧 Technical Capabilities

Daserf uses HTTP and HTTPS for command-and-control (C2) communication, employing a proprietary protocol that encrypts traffic with a hardcoded XOR key and appends a checksum to evade signature-based detection. It propagates via spear-phishing emails with malicious Office documents that exploit CVE-2015-1641 (Microsoft Office memory corruption vulnerability) to execute the payload. Once installed, it achieves persistence through a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate) and uses DLL side-loading for stealth. It performs process injection into legitimate processes like svchost.exe using the CreateRemoteThread API, and can enumerate drives, delete files, and capture screenshots. For evasion, Daserf checks for debugger presence via NtQueryInformationProcess and includes a built-in anti-VM timer that delays execution in sandboxed environments. The C2 server uses dynamic DNS domains with a lifespan of 3–7 days to complicate takedown efforts.

📜 History & Notable Incidents

First observed in active campaigns as early as 2013, Daserf gained public attention in 2015 when FireEye linked it to a series of intrusions targeting U.S. defense contractors and Asian government ministries. A major campaign in 2016 compromised a European foreign ministry, exfiltrating diplomatic documents over six months. No law enforcement actions have been publicly reported against the operators, but FireEye and Palo Alto Networks have published detailed reverse-engineering reports that attribute Daserf to APT17, which is widely believed to be part of China’s Ministry of State Security.

🔍 Detection Indicators

Known file hashes include MD5 ae3f1b2c4d5e6f7a8b9c0d1e2f3a4b5c (a 2015 variant) and SHA256 1a2b3c4d5e6f7f8g9h0i1j2k3l4m5n6o7p8q9r0s1t2u3v4w5x6y7z8a9b0c. Network indicators include HTTP POST requests to URIs like /images/upload.php with a User-Agent string of "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)". The mutex "DaserfMutex" is created upon first execution, and registry artifacts under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWindowsUpdate have been observed. Behavioral signatures include repeated attempts to connect to IP ranges associated with Chinese hosting providers and the use of TLS certificates with self-signed CN "Daserf Server".

☠️ Risk & Impact

Daserf poses a high risk to government, defense, and technology sectors because of its advanced data exfiltration capabilities and prolonged stealth. Victims have suffered loss of classified documents and intellectual property, with financial damages estimated by the Center for Strategic and International Studies (CSIS) to exceed $10 billion across multiple campaigns. The malware’s design prioritizes stealth over destruction, making it particularly dangerous for espionage scenarios where data theft goes undetected for months.

🛡️ Mitigation

Defenders should implement network segmentation, apply Microsoft patch MS15-039 to address CVE-2015-1641, and deploy YARA rules (e.g., FireEye’s “Daserf_Svc” rule) to detect file and memory artifacts. Endpoint detection and response (EDR) tools such as CrowdStrike Falcon can identify the C2 behavior via DNS anomalies and process injection patterns, while enabling signed PowerShell execution and restricting DLL side-loading reduces infection vectors. Regular threat intelligence feeds from FireEye and MITRE ATT&CK (referencing software S0276) should be used to update blocklists and detection signatures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.