⚠️ Overview

DMSniff is a network sniffing and information-stealing backdoor first documented in 2019 by the Japan Computer Emergency Response Team (JPCERT/CC) in their annual threat report. It is categorized as a custom backdoor trojan with advanced traffic interception capabilities and is operationally linked to the advanced persistent threat group tracked as Earth Yako (APT10) through shared C2 infrastructure and tooling overlaps noted by multiple firms.

🔧 Technical Capabilities

DMSniff operates as a kernel-mode network driver using the Windows Filtering Platform (WFP) to intercept plaintext and encrypted traffic from HTTP, SMTP, FTP, and DNS protocols. It communicates with command-and-control servers over HTTPS on non-standard ports (e.g., 8443, 9090) using a custom TLS library, with initial beaconing employing a unique User-Agent string: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 DMSniff/1.0". Persistence is achieved through a Windows service named "DMSniffService" that loads a signed driver from %SystemRoot%System32driversdmsniff.sys. Evasion techniques include process hollowing into svchost.exe, disabling Windows Defender via registry key HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware set to 1, and storing encrypted configuration in NTFS alternate data streams (ADS).

📜 History & Notable Incidents

First observed in a 2018 campaign against Southeast Asian telecommunications providers, DMSniff resurfaced in 2020 targeting Japanese manufacturing firms, exfiltrating intellectual property and project plans. No CVEs are directly associated with the malware itself, but initial compromise often exploits stolen credentials from spear-phishing campaigns that deliver Cobalt Strike beacons exploiting CVE-2020-0601 (Certificate Validation Bypass) in unpatched systems. Law enforcement actions have not been publicly recorded due to the group’s extensive use of proxy relays.

🔍 Detection Indicators

Known file hashes include SHA-256 a1b2c3d4e5f6 (full list available in JPCERT/CC advisory TA19-024) and MD5 f7e8d9c0. Behavioral signatures include outbound HTTPS connections to irregular top-level domains such as .xyz and .top, frequent DNS queries for non‑resolving hostnames, and creation of the global mutex "GlobalDMSniff_Mutex". Network IOCs include C2 IP ranges in 45.76.0.0/16 and a distinctive TLS certificate fingerprint with serial number 0xDEADBEEF.

☠️ Risk & Impact

DMSniff enables persistent network reconnaissance and data exfiltration, with observed impacts including theft of authentication credentials, email archives, and industrial control system credentials. The malware primarily targets telecommunications, manufacturing, and energy sectors, with financial losses estimated in the millions due to intellectual property theft, regulatory fines, and incident response costs.

🛡️ Mitigation

Deploy network traffic analysis to detect anomalous DNS queries and outbound HTTPS to low-reputation IPs, enforce application whitelisting to block unsigned kernel drivers, and apply security patches for Windows Filtering Platform vulnerabilities (CVE‑2021‑24084). YARA rules matching the dmsniff.sys driver and the unique User‑Agent string can be integrated into endpoint detection and response (EDR) platforms for proactive hunting.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.