Home Malware Programs Trojans Datper

Datper

Posted: November 2, 2018

Datper is a backdoor Trojan that can provide remote attackers with a degree of control over the infected PC through shell commands, as well as harvest and upload system information for its future exploitation. Users should disconnect their PCs from the Internet and take into account the possibility of Datper's dropping other threats, such as spyware, without requiring any consent or causing symptoms. Have your anti-malware programs protect your PC by deleting Datper on sight and abide by traditional server security standards for reducing the chances of your website becoming one of its C&C servers.

Neglectful Web Admins are Becoming Assistants to Trojans

While much of the focus of cyber-security lies in preventing personal computers from coming under attack, a sometimes-neglected side of threat management is the necessary reduction of Command & Control networks. Datper, a backdoor Trojan by the threat actors known as Tick, Redbaldknight, and Bronze Butler, is taking advantage of non-secure websites for efficient C&C resource management. As a result, a small business domain can become the assistant to a Trojan infection that's harvesting information from other targets.

The Datper's payload is similar to that of other Trojans with backdoor functionality: it collects useful information such as the keyboard layout and hostnames and pings the criminal's server for further instructions. Successful contact with a C&C could let a remote attacker issue shell commands through Datper for future attacks, such as installing other software, deleting or uploading files or disabling different security features. Regretfully, malware experts have yet to confirm any of the other threats that Datper installs, and its overall campaign goals are obtuse.

However, more details are available about Datper's network infrastructure, which is similar to that of other Tick-supported Trojans, such as the Murim and Emdivi families. The threat actors are using a combination of legitimately-purchased Web domains and compromised websites for their C&C purposes. A typical example of the latter is a small business site that doesn't make use of SSL encryption or certificate-based authentication.

Containing the Datper Network

While Datper is not a 'botnet' and doesn't emphasize recruiting large numbers of PCs into a coordinated network, its Command & Control structure does require a similar degree of careless security behavior from PC users and domain admins. Tick is concentrating their website-hijacking efforts on entities in Asian nations, such as South Korea and Japan, as of 2018. Setting up SSL encryption, using passwords that aren't at risk for brute-force attacks, and updating your server's software are generally-applicable recommendations that malware experts can provide for counteracting any chances of your site's becoming a part of Datper's network.

On the other end of Datper's payload, the victims of its backdoor attacks have given control of their PCs over to Tick effectively. Disabling all network connections, changing login combinations, and re-securing any local, confidential credentials are essential for recovering. Robust, in-depth anti-malware scans from appropriate cyber-security products should remove Datper and other threats that it could install automatically.

Datper stays active in 2018 as a possible replacement or sidegrade for Tick's other, backdoor-oriented threats. Since the infection vectors it's using remain mysterious, all PC users, and server admins, especially, should keep all of the usual security safeguards in the forefront of their minds.

Loading...