Do you know what a backdoor is? It is the kind of malware that opens a clear path for cyber attackers to do whatever they want. Datper is that kind of malware. It is the descendant of Daserf, which is another backdoor that was re-written in Delphi after being initially coded in Visual C. The newer backdoor is also Delphi-coded. Needless to say, they are similar. Unfortunately, these backdoors are not used on their own; although they do have some functionality. Instead, the attackers behind them are also employing other malicious threats. Furthermore, they can switch to using the Xxmm (also known as Minzen) backdoor. To top it all off, the servers linked to this malware, and the malware itself can be replaced, which makes the attacks much more unpredictable and the removal of the malware much more complicated. While it is unlikely that you need to delete Datper if you are a regular Windows user (the threat is targeted at large companies), you still need to be cautious.
The attackers behind Datper appear to be going by the names Bronze Butle, Redbaldknight, and Tick. They are China-based, and they seem to be focusing on the companies located in Japan and South Korea. Is this is a government-level attack/cyber espionage? We do not know that at this time, but that is certainly a possibility. The group is using Datper and other malware to invade the operating systems that belong to companies in transportation, electric power, machinery, aviation, railroads, and similar industries. It appears that the attackers are trying to hit the spots that might hurt the most. If attackers manage to invade and drop their malware successfully, highly sensitive information could be leaked and compromised, which could stall the operations of the hit companies. If that happened on a large scale, the economy of the country as a whole could be impacted. Hopefully, that does not happen, but that is the power that Datper attackers have, which is why it crucial to keep this backdoor away.
To ensure that Datper does not slither in along with other threats, it is important to stay away from suspicious emails and corrupted websites, as well as to ensure that systems are up-to-date and protected reliably. Emails could be used to send malicious files, and if these files were to be opened, that could lead to the silent execution of malware payload. As for websites, they could be used to execute drive-by download attacks, and even legitimate websites could be corrupted to host malicious code. When it comes to outdated systems, vulnerabilities could be exploited to execute malware. Needless to say, caution and appropriate security measures must be taken to ensure that Datper and related threats cannot invade and cause a mess. Datper alone can record hardware info, host name, OS version, and other data and leak it to a remote C&C server. It can also execute malware and manipulate files. The threats that follow this threat could be even more malicious, and you must remove them all.
It is clear that the attackers behind Datper are ready to adapt. They can use many different methods of attack, and they are constantly changing malware combinations and C&C servers used for communication. This is the strengths of the hacking group. Unfortunately, this also means that tracking, understanding, and removing Datper and other analogous infections might be impossibly hard. While the infection might be named “comine.exe” on one system, it could be named “msupdate.exe” on the second. Also, the location could be unique too. If that was not enough, a bunch of other infections could be active on the system at the same time! So, what are you supposed to do? Most likely, you do not need to worry about this malware at all if you do not live in Japan or South Korea and are not connected to a large network. Nonetheless, you should secure your system using anti-malware software ASAP. It will protect you and, if threats exist, will remove all of them at once.
|#||File Name||File Size (Bytes)||File Hash|
|1||comine.exe||24576 bytes||MD5: 07f7846bbcda782e5639292ad93907eb|
|#||Process Name||Process Filename||Main module size|