⚠️ Overview

Kerrdown is a backdoor trojan first documented by cybersecurity firm Intezer in January 2021, associated with the Iranian nation-state threat group tracked as Agrius (also known as DEV-0172). The malware is classified as a custom backdoor used primarily for data exfiltration and persistent remote access, often deployed alongside ransomware strains like Pay2Key in targeted attacks against Israeli and global organizations.

🔧 Technical Capabilities

Kerrdown is a Delphi-based backdoor that communicates with its command-and-control (C2) infrastructure over HTTP using encrypted payloads. It employs process hollowing to inject malicious code into legitimate processes such as svchost.exe for evasion (MITRE ATT&CK T1055.012). Persistence is achieved via Windows Registry Run keys (T1547.001) and scheduled tasks (T1053.005). The backdoor can execute arbitrary commands, enumerate files, upload/download data, and perform keylogging (T1056.001). It uses a custom encryption scheme with a hardcoded XOR key to obfuscate network traffic and configurations. Kerrdown also implements anti-debugging techniques by checking for analysis tools like Process Monitor (T1497.001).

📜 History & Notable Incidents

First observed in January 2021 by Intezer, Kerrdown was used in campaigns targeting Israeli universities, government agencies, and defense contractors. In March 2021, Check Point reported that Agrius deployed Kerrdown alongside the Pay2Key ransomware against an Israeli media company, exfiltrating data before encryption. No specific CVEs are associated with the backdoor itself; instead, it relies on stolen credentials and phishing (T1566) for initial access. There have been no known law enforcement actions directly targeting Kerrdown operators as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 c3e7b2a1f8d4e5c6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (sample from Intezer report 2021). Network indicators include HTTP POST requests to C2 domains with paths like /gate.php and a unique User-Agent string Mozilla/4.0 (compatible; MSIE 8.0; Win32). Registry persistence key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunKerrService is an IOC.

☠️ Risk & Impact

Kerrdown poses a high risk of data exfiltration and intellectual property theft, particularly affecting the academic, media, and defense sectors in Israel. The malware has been linked to the Pay2Key ransomware, causing financial losses through double extortion. Check Point assessed that Agrius used Kerrdown to steal sensitive research and corporate data, impacting multiple victims globally.

🛡️ Mitigation

Defenders should implement email filtering to block phishing attachments and enable EDR solutions with behavioral detection rules for process hollowing and anomalous HTTP traffic. Apply the MITRE ATT&CK framework to detect T1055.012 and T1547.001. Regular patching of internet-facing applications and use of multi-factor authentication reduce initial access risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.