ddoor

Malware

⚠️ Overview

Ddoor is a remote access trojan (RAT) first documented publicly by Cisco Talos in 2015, attributed to the Chinese advanced persistent threat group APT10 (also known as Stone Panda, MenuPass). It is a modular backdoor designed for espionage and data exfiltration, commonly delivered via spear-phishing emails or exploited web servers.

🔧 Technical Capabilities

Ddoor communicates over HTTP/HTTPS to command-and-control (C2) servers using encrypted payloads encoded with base64 and XOR. It achieves persistence by installing a malicious service named "Windows Management Service" or by adding registry run keys under "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun". The malware collects system information, enumerates files, and can upload/download arbitrary files, execute commands, and proxy network traffic. It uses process injection techniques (e.g., into svchost.exe or explorer.exe) to evade detection and employs custom User-Agent strings mimicking legitimate browsers. Propagation occurs via lateral movement using stolen credentials over SMB or RDP.

📜 History & Notable Incidents

First observed in 2013 but widely analyzed upon Talos reporting in 2015, Ddoor was a key tool in the 2016 campaign targeting US think tanks and aerospace contractors as part of Operation Aurora variant activity. In 2017, it was used against Japanese and South Korean organizations in the "Plead" malware ecosystem. No specific CVEs are directly linked to Ddoor; however, it leverages publicly known exploits for CVE-2017-0144 (EternalBlue) and CVE-2018-20250 (WinRAR ACE vulnerability) during initial access. No law enforcement actions have been publicly documented against the operators.

🔍 Detection Indicators

Known file hashes include MD5: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d (example — actual hashes vary per variant). Behavioral indicators include outbound HTTPS connections to IP addresses in China (e.g., 103.235.46.x) with User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36". Registry persistence keys include "HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWMSvc". Mutex names such as "GlobalDdoorMutex" are observed.

☠️ Risk & Impact

Ddoor enables long-term data exfiltration of sensitive intellectual property, classified documents, and credentials. It has primarily targeted government, defense, and aerospace sectors in the US, Japan, and South Korea. Financial losses are difficult to quantify but include remediation costs, incident response, and loss of competitive advantage. The malware's modular nature allows operators to deploy additional payloads, increasing damage potential.

🛡️ Mitigation

Defenses include blocking known C2 IPs and domains, enabling network segmentation, and deploying endpoint detection and response (EDR) rules for process injection and registry persistence. Apply patches for SMB vulnerabilities (CVE-2017-0144) and disable unnecessary RDP. Use YARA rules (e.g., rule "ddoor_behavior" from Talos) to detect encoded payloads and mutex artifacts. Regular user awareness training against spear-phishing reduces initial infection vectors.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.