Datper Removal Guide

Do you know what Datper is?

Datper is not the kind of malware that should attack regular Windows users. Instead, it is an instrument that is used in larger-scale attacks that are specifically targeted at big companies and organizations. According to research, this malware was found to be used in the attacks targeted at companies that represent aviation, electricity, transportation, railroad, and similar industries in Japan and South Korea. It is believed that the attacks are performed by a Chinese hacking group called “Tick” (or redbaldknight, and Bronze Butler), but this information is not 100% confirmed yet. All in all, although companies with larger networks are believed to be the targets of this malware, we cannot guarantee that individual users will not face it by accident or on purpose. Of course, whether you are a company or an individual user, you must remove Datper.

The malicious Datper is Delphi-coded, and research shows that it is primarily used for Command & Control (C&C) server communication. It operates by receiving commands from this remote server. First, of course, the backdoor malware needs to invade the operating system, and it is believed that the attackers might be exploiting companies’ management software vulnerabilities or using spam email attachments. These emails could be created with a specific company in mind, and their subject lines and the email messages themselves could be extremely believable and misleading. In this case, if the recipient of the corrupted email opens the attachment, Datper is executed automatically, without any notice. It was found that Daserf is the predecessor of this backdoor malware. This threat was originally coded in Visual C, but then rewritten in Delphi as well. After this, the two backdoor infections have become more similar. It is also known that the Tick group is interchangeably using another backdoor called “Xxmm.”

If Datper establishes communication with a C&C server – which is done using an HTTP protocol – it attempts to send certain information, which might include the host name, the version of the operating system, as well as hardware data. XOR and RC4 encryption algorithms are used to encrypt communication data, and then everything is encoded using Base64. Besides collecting and leaking data, Datper also can configure communication intervals, execute programs or shell commands, and manipulate files. The malware that the backdoor is associated with changes all the time, and the same can be said about the C&C addresses used for communication. That is how the attackers manage to remain active. The sample tested by our team was dropped to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\, and it was called “comine.exe.” It communicated with oonumaboat.com. In other cases, the .exe files are known to use the names of legitimate files (e.g., msupdate.exe), which makes detection and removal processes much harder.

Cyber criminals can exploit backdoors to their own benefit in many different ways, which is why you do not want this malware to invade your operating system. It is silent and nearly impossible to spot in action. Even if your operating system seems to be functioning just fine, you really cannot know for sure if malware does not exist. Install a trusted malware scanner to check if you need to delete Datper from your operating system, and if you do – install trusted anti-malware software. Removing backdoors and other malware that could be active can be extremely difficult even for experienced users, which is why using a tool designed to find and delete malware automatically is the right move. On top of that, if you keep this tool installed and updated, it will keep your operating system against other threats that might try to invade.

Remove Datper

  1. Tap Ctrl+Alt+Delete and choose Start Task Manager.
  2. In the Processes tab look for malicious processes (their names could be misleading).
  3. If you find a malicious process, right-click it and choose Open file location.
  4. Go back to the process, select it, and click End Process.
  5. Go to the malicious .exe file, right-click it, and choose Delete.
  6. Delete other suspicious, recently downloaded files.
  7. Empty Recycle Bin and then quickly perform a full system scan to check for leftovers.

In non-techie terms:

Datper is a backdoor that communicates with attackers via C&C server to receive commands. The attackers can use it in many different ways, including to gather information, as well as to execute malicious files that could create more problems. Without a doubt, it is crucial to delete Datper from the operating system, but since it is silent, not all victims might discover it. Utilizing an anti-malware program that could inspect the system and remove all existing threats is recommended. If you choose to remove malware manually, check out the guide above, but note that identifying backdoor processes and files could be difficult, and there might be many other infections that require removal.