dutan

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by Dutan receive the fixed suffix .dutan (always lower-case).
  • Renaming Convention: The malware renames every affected file to the pattern:
    <original_filename>.<original_extension>.dutan
    Example: Quarterly-Q3.xlsx becomes Quarterly-Q3.xlsx.dutan.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Dutan first surfaced on 6 August 2019 as an off-shoot of the Phobos family. Noticeable spikes in submissions to ID-ransomware occurred in August-October 2019 and again in Q1-2020, with scattered detections continuing to the present day.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • RDP brute-force / credential stuffing (most common).
  • Malvertising e-mails delivering IQY → PowerShell → Dutan dropper.
  • Exploitation of un-patched servers (e.g., Confluence CVE-2019-3396, MSSQL xp_cmdshell).
  • Manual deployment by affiliates after initial access-broker foothold (human-operated, not worm-like).
  • No evidence of SMB/EternalBlue auto-propagation; relies on least-privilege lateral-movement scripts (Cobalt-Strike/PowerShell).

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Disable RDP from the Internet or enforce IP-whitelisting, MFA or a VPN tunnel.
  • Use strong, unique passwords + 14-day lock-out for RDP/Admin accounts.
  • Segment networks (VLANs) and apply “least-privilege” SMB shares; block 445/139 inbound.
  • Keep operating-systems, Confluence, MSSQL, VPN appliances, and mail servers fully patched.
  • Run up-to-date EDR/AV that detects Phobos/Dutan signatures: Trojan:Win32/Phobos.PB!MTB, Ransom:Win32/Phobos.PK!MTB, etc.
  • Deploy application whitelisting or, at minimum, disable Office macros and PowerShell for general users.
  • Maintain daily off-site/offline backups (3-2-1 rule) – and test restore regularly.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Power-off the affected machine(s) to stop further encryption; disconnect from LAN/Wi-Fi.
  2. Create a bit-level image (DD or VHDX) of one sample system for forensics.
  3. Boot clean media (Win-PE/Kaspersky-RescueDisk) → delete scheduled tasks named “Dutan”, “TimeTriggerTask”, “SystemRestore”, and the following file artefacts:
    • %LOCALAPPDATA%\rstwg.exe (main payload)
    • %PROGRAMDATA%\Logs\pop.wrm (ransom note generator)
    • Any binaries signed “Symantec ft. Dutan” (invalid cert).
  4. Clean WMI event subscriptions and Auto-Run registry keys (HKCU & HKLM Run/RunOnce) that call the above EXE.
  5. Before re-imaging, nuke the volume shadow copies (they are already emptied, but clear residual vssadmin delete shadows /all logs).
  6. Patch the original entry vector (reset breached admin accounts, install Confluence fix, close external 3389, etc.).
  7. Finally rebuild/restage the OS, or roll out a clean golden-image; never “clean” a production OS and keep it online.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Dutan uses AES-256 in CBC mode per-file, with the AES key encrypted by a single RSA-2048 public key embedded in the binary. The private key is held only by the operator.
    Decrypting files without the criminal’s private key is computationally infeasible.
    No free Phobos/Dutan decryptor exists; any site advertising one is a scam.

  • What you CAN try:

  • Search shadow-volume copies (vssadmin list shadows) – the malware deletes them, but some multi-drive servers occasionally retain older restore points on secondary volumes.

  • Look for Windows “Previous Versions” cached by OneDrive, Dropbox, Code42, Veeam, Macrium, etc.

  • Run file-carving / undelete tools (PhotoRec, R-Studio) on the HDD; Dutan does not overwrite file data, so recently overwritten Office temp files may be recoverable.

  • If the victim has a paid EDR platform that recorded file writes, extract originals from the EDR vault (e.g., CrowdStrike “RTR” bulk-get).

  • Essential Tools/Patches:

  • Microsoft SCEP patch for BlueKeep (CVE-2019-0708) & related RDP hardening patches.

  • Atlassian Confluence Server updates dated 19 Aug 2019 or later (CVE-2019-3396).

  • Kaspersky PhobosDecryptKill – signature removal utility (cleans encrypted .exe stubs left behind, no decrypt capability).

  • Microsoft Defender signatures ≥1.315.1108.0 (detects Dutan/Phobos payloads).

4. Other Critical Information

  • Additional Precautions / Unique Characteristics:

  • Dutan is a Phobos v2.9.3 fork; it drops TWO ransom notes:
    info.hta (HTML application auto-launched via mshta.exe)
    info.txt (root and every encrypted folder)

  • Victim-ID is written in the note; ID string is also embedded as a registry value under HKCU\Software\dutan.

  • No lateral SMB propagation – but manual scripts purposely wake up domain controllers and SQL servers; therefore examine logs for runas /netonly or PowerShell remoting (Enter-PSSession) a few minutes before mass encryption began.

  • Ransom demandstarts around 0.14 BTC (~US $4 k in 2020) and escalates every 72 h. Operators run a TOR “support” portal; however payment does not guarantee a working decryptor – some decrypters crash on volumes >2 TB.

  • Broader Impact:
    Manufacturing, municipal governments, and healthcare clinics in Europe & LATAM have reported multi-day outages (50–200 endpoints). Total average recovery cost (labor + downtime + ransom) for small-to-mid-size victims has ranged $120 k – $300 k, making it cheaper to rebuild/re-image with solid backups rather than pay.

    Share IoCs with your community:
    Sample SHA-256: 0ed361e6438be90a8e20ce354b61e1a5c93b95b4eaba6dba88b89fa9e7bc9b8c
    C2: dutanhelp[.]xyz, dutandecrypt[.]xyz (TOR only)
    BTC addresses: 1Dutan5YqZm6ygFXXX... (vary per campaign)

Stay secure, patch early, back-up off-line, and never expose RDP to the open Internet.