Last week, an unidentified malware (with SHA-256 171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b) was discovered and circulated on Twitter by researcher @JAMES_MHT. Many researchers - including us - were unable to identify the malware so we decided to dig a bit further.
In this post, we will share our findings about this malware: its targets, technical analysis, the related attacks and the threat actor behind it.
One of the first things we wanted to know is if this malware has a specific target–thanks to researcher @benkow_ some open directories on the malware C&C were discovered. One of the open directories contained logs of victim IPs and computer names:
While there are not that many IP victims logged on this particular C&C, a look-up on ipintel.io showed a concentration of victims from Germany and Austria:
Incidentally, a quick dump of the malware code reveals the string “my_de” and “my_botnet” where the “de” in the first string may refer to Germany’s country code:
Due to this and the results of our analysis below, we tagged this malware DELoader (detected as W32/DELoader.A!tr).
In a nutshell, DELoader’s primary purpose is to load additional malware on the system. It does this by initially creating a suspended explorer.exe process:
It then proceeds to decrypt an embedded DLL from its body and inject it into explorer.exe:
The injected DLL then attempts to download a file from the link hxxp://remembermetoday4.asia/00/b.bin:
Upon the time of analysis, the malware C&C was already sinkholed. Code-wise, the malware expects to download a portable executable (PE) file as it validates the MZ header of the downloaded file. If valid, this PE file is then copied to a newly allocated memory:
It then searches for instance of a running explorer.exe process where it then injects the downloaded file using CreateRemoteThread API:
DELoader’s routine doesn’t tell much about its intentions since its payload simply installs an additional PE file. This PE file could be any malware, or simply an updated copy of itself.
Either way, it leads us to the next question – what is the motive behind DELoader?
The registrant information of the malware C&C, resdomactivationa.asia, leads us to the next clue:
The registrant details list someone named Aleksandr Sirofimov from Russia. Of course, we certainly don’t know if Aleksandr is a real person, a stolen identity, an alias for a group, or the ‘nom de guerre’ of an individual cybercriminal. However, the important thing is that these same registrant details have been frequently used in the past to register malicious domains.
Below is an overview of some of the related attacks we were able to correlate using the email address firstname.lastname@example.org:
Furthermore, the above correlation enabled us to identify that the actor (or actors), using the name “Aleksandr,” registered malicious domains as early as the 3rd quarter of 2015, while DELoader first surfaced by at least February of 2016.
One of the malicious tools “Aleksandr” used is a Zeus variation – an infamous banking Trojan whose source code was leaked five years ago. Here is a graph of some of the related Zeus variants out of the many Zeus C&C domains “Aleksandr” registered:
An online search of the domain goodvin77787.in leads us to this blog. The blog talks about a DHL-themed Zeus campaign targeting German-speaking users where all the related Zeus C&Cs were registered using “Aleksandr’s” details.
So we now know that person or persons behind “Aleksandr” have been (or are still) involved in a malicious campaign for stealing banking credentials. True to the nature of DELoader, the previous campaign also targeted German-speaking users.
Another domain the individual or group known as “Aleksandr” registered is bestbrowser-2015.biz. This domain was used as a C&C server for Android Marcher variants – an Android banking Trojan sold on Russian underground forums:
Interestingly, these trojans were configured to steal credentials from Australian banks. Below is a code snippet from one of the Android Marcher samples:
It is worth noting that these Marcher variants surfaced around the same time “Aleksandr” was running Zeus campaigns in the 3rd and 4th quarter of 2015. This suggests that he was running his malicious regional campaigns simultaneously.
While DELoader is a relatively new malware, the findings in this research demonstrate that the threat actor behind it has actually been around for quite some time, and has left a substantial amount of fingerprints over the Internet.
Historical information shows that the individual or group using the name “Aleksandr” have been involved in bank information theft not only of German-speaking users, but have also targeted Australian users. It is possible that DELoader may be used to aid in similar purposes in the future.
We are unable to confirm the legitimacy of “Aleksandr’s” registrant details, or if he (or they) is working with a group. We may, however, have an idea on where “Aleksandr” is located.
Earlier, we showed that the geolocations of DELoader victims were concentrated in Germany and Austria. You might have also noticed that one of the IPs deviated from that area – it resolved to Kiev,Ukraine:
This is odd since German is not a common language in Ukraine. So we theorized that this anomalous event may be due to someone testing the DELoader.
To test our theory, we looked up the IP in the C&C logs to find more information. Can you find the interesting string in the IP’s computer name below?
High five if you found “ALEXANDR”.
-= FortiGuard Lion Team =-
DELoader SHA-256 hashes (all detected as W32/DELoader.A!tr):
Domains registered by email@example.com: