In this blog post, we will discuss the beaconing activity of new Daserf variants that surfaced last week. The backdoor communicates with its C2 domain over HTTP using both GET and POST requests.
First, the malware issues a GET HTTP request to download a GIF file from its C2 server. The response is not a GIF file but an XOR encoded URL string. While the GIF filename varies from one Daserf sample to another, the directory name remains the same.
Daserf decodes the URL received from the server and concatenates it to an ASP filename. It uses the new URL for further communication with the C2 server using POST HTTP requests. The first of them contains encoded information about the infected system like its hostname, its IP address and its language.
The malware uses a hard coded list of pseudorandom ASP filenames. Every filename is exactly 5 characters long. In addition, all the analyzed samples use the same hardcoded user-agent string in their HTTP communication with the server.
Given all the network artifacts mentioned above and assuming the appropriate meta keys are enabled, an analyst can develop a couple of app rules on RSA Security Analytics to detect the malicious traffic. The following queries can be used:
action = 'get' && directory = '/images/' && extension = 'gif' && filetype != 'gif' && client = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1) '
action = 'post' && filename length 9 && extension = 'asp' && content = 'application/x-www-form-urlencoded' && client = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)'
You can find VirusTotal scan results for one Daserf sample here.
All of the IOCs from those HTTP sessions were added to RSA FirstWatch Live feeds.