# T h e C u r i o u s C a s e o f a n T a r g e t i n g G e r m a n - S p e a k **by** **Floser Bacurio and Roland Dela Paz | Jun 21, 2016 | Filed in: Security Research** **Last week, an unidentified malware (with SHA-256�** **171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b) was discovered and�** **[circulated on Twitter by researcher @JAMES_MHT. Many researchers - including us - were unable to](https://twitter.com/JAMESWT_MHT/status/743345104333606912)** **identify the malware so we decided to dig a bit further.** **In this post, we will share our findings about this malware: its targets, technical analysis, the related�** **attacks and the threat actor behind it.** ## Targets **One of the first things we wanted to know is if this malware has a specific target–thanks to researcher�** **[@benkow_ some open directories on the malware C&C were discovered. One of the open directories](https://twitter.com/benkow_)** **contained logs of victim IPs and computer names:** **While there are not that many IP victims logged on this particular C&C, a look-up on** **_ipintel.io showed_** **a concentration of victims from Germany and Austria:** ----- **Incidentally, a quick dump of the malware code reveals the string “my_de” and “my_botnet” where the** **“de” in the first string may refer to Germany’s country code:�** **Due to this and the results of our analysis below, we tagged this malware DELoader (detected as** **W32/DELoader.A!tr).** ## DELoader Analysis **In a nutshell, DELoader’s primary purpose is to load additional malware on the system. It does this by** **initially creating a suspended explorer.exe process:** **It then proceeds to decrypt an embedded DLL from its body and inject it into explorer.exe:** ----- **The injected DLL then attempts to download a file from the link�** **hxxp://remembermetoday4.asia/00/b.bin:** ----- **Upon the time of analysis, the malware C&C was already sinkholed. Code-wise, the malware expects** **to download a portable executable (PE) file as it validates the MZ header of the downloaded file. If�** **valid, this PE file is then copied to a newly allocated memory:�** **It then searches for instance of a running explorer.exe process where it then injects the downloaded** **file using �CreateRemoteThread API:** ----- **DELoader’s routine doesn’t tell much about its intentions since its payload simply installs an additional** **PE file. This PE file could be any malware, or simply an updated copy of itself.�** **Either way, it leads us to the next question – what is the motive behind DELoader?** ## Related Attacks **The registrant information of the malware C&C, resdomactivationa.asia, leads us to the next clue:** **The registrant details list someone named Aleksandr Sirofimov� from Russia. Of course, we certainly** **don’t know if Aleksandr is a real person, a stolen identity, an alias for a group, or the ‘nom de guerre’** ----- **Below is an overview of some of the related attacks we were able to correlate using the email** **address sir777alex@outlook.com:** **From the above graph we can extract the infection chain for DELoader, which is delivered through** **malicious JavaScript downloaders:** ----- **Furthermore, the above correlation enabled us to identify that the actor (or actors), using the name** **rd** **“Aleksandr,” registered malicious domains as early as the 3** **quarter of 2015, while DELoader first�** **surfaced by at least February of 2016.** **One of the malicious tools “Aleksandr” used is a Zeus variation – an infamous banking Trojan whose** **[source code was leaked five years ago. Here is a graph of some of the related Zeus variants out of the�](http://blog.trendmicro.com/trendlabs-security-intelligence/the-zeus-source-code-leaked-now-what/)** **many Zeus C&C domains “Aleksandr” registered:** **[An online search of the domain goodvin77787.in leads us to this blog. The blog talks about a DHL-](https://rebsnippets.blogspot.com.br/2015/11/dhl-themed-zeus-campaign-is-using.html)** **themed Zeus campaign targeting German-speaking users where all the related Zeus C&Cs were** **registered using “Aleksandr’s” details.** **So we now know that person or persons behind “Aleksandr” have been (or are still) involved in a** **malicious campaign for stealing banking credentials. True to the nature of DELoader, the previous** **campaign also targeted German-speaking users.** ## Are German-Speaking Users "Aleksandr’s" Only Target? **Another domain the individual or group known as “Aleksandr” registered is** **bestbrowser-2015.biz.** **This domain was used as a C&C server for Android Marcher variants – an Android banking Trojan** **sold on Russian underground forums:** ----- **Interestingly, these trojans were configured to steal credentials from �Australian banks. Below is a code** **snippet from one of the Android Marcher samples:** **It is worth noting that these Marcher variants surfaced around the same time “Aleksandr” was running** **rd** **th** **Zeus campaigns in the 3** **and 4** **quarter of 2015. This suggests that he was running his malicious** **regional campaigns simultaneously.** ## Conclusion **While DELoader is a relatively new malware, the findings in this research demonstrate that the threat�** **actor behind it has actually been around for quite some time, and has left a substantial amount of** **fingerprints over the Internet.�** **Historical information shows that the individual or group using the name “Aleksandr” have been** **involved in bank information theft not only of German-speaking users, but have also targeted** **Australian users. It is possible that DELoader may be used to aid in similar purposes in the future.** **We are unable to confirm the legitimacy of “Aleksandr’s” registrant details, or if he (or they) is working�** ----- **Earlier, we showed that the geolocations of DELoader victims were concentrated in Germany and** **Austria. You might have also noticed that one of the IPs deviated from that area – it resolved** **to Kiev,Ukraine:** **This is odd since German is not a common language in Ukraine. So we theorized that this anomalous** **event may be due to someone testing the DELoader.** **To test our theory, we looked up the IP in the C&C logs to find more information. Can you find the�** **interesting string in the IP’s computer name below?** **High five if you found “ALEXANDR”.�** **-= FortiGuard Lion Team =-** **_IOCs_** **_DELoader SHA-256 hashes (all detected as W32/DELoader.A!tr):_** **_72faed0bc66afe1f42bd7e75b7ea26e0596effac65f67c0ac367a84ec4858891�_** **_5d759710686db2c5b81c7125aacf70e252de61ab360d95e46cee8a9011c5693f_** **_c16281c83378a597cbc4b01410f997e45b89c5d06efada8000ff79c3a24d63ca�_** **_171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b�_** ----- **_cec73c7b54c290b297a713e0eb07c7c2d822cc67ed61b9981256464273d63892_** **_Domains registered by sir777alex@outlook.com:_** **_yberprojects22017.info_** **_masterhost8981.asia_** **_nov15mailmarketing.in_** **_auspostresponse22.asia_** **_goodwinn8.asia_** **_mastehost12312.asia_** **_masterhost1333.asia_** **_marketingmas.in.net_** **_remembermetoday4.asia_** **_startupproject33676.asia_** **_bestbrowser-2015.biz_** **_marketing5050.asia_** **_marketingking878.asia_** **_yidckntbrmhuuhmq.com_** **_resdomactivationa.asia_** **_ukcompanymarketing.asia_** **_goodvin77787.in_** **_jajajakala8212.asia_** **_masterhost122133.asia_** **_masterj.in_** **_lalalababla.asia_** **_responder201922.asia_** **_cyberprojects2727.info_** **_super-sexy-girl2015.net_** **_jxsraxhlccokkrob.com_** **_mastehost88832.asia_** **_masterlin888.pw_** **_mamba777.in_** **_copolsox.us_** **_10cyberprojects2016.asia_** **_startupproject336.asia_** **_masterhost122133.asia_** **by** **Floser Bacurio and Roland Dela Paz | Jun 21, 2016 | Filed in: Security Research** **Tags:** **zeus banking trojan** **zbot** **bank fraud** **DELoader** **Android Marcher** ----- **Previous Post: Securing Critical Infrastructures** **Recommend** **Share** **Sort by Best** ### Start the discussion… **Corporate** **[About Fortinet](http://fortinet.com/aboutus/aboutus.html)** **[Investor Relations](http://investor.fortinet.com)** **[Careers](http://jobs.fortinet.com)** **[Partners](http://fortinet.com/partners/index.html)** **[Global Offices�](http://fortinet.com/aboutus/locations.html)** **[Fortinet in the News](http://fortinet.com/aboutus/media/news.html)** **[Contact Us](http://fortinet.com/contact_us/index.html)** **How to Buy** **[Find a Reseller](http://fortinet.com/partners/reseller_locator/locator.html)** **[FortiPartner Program](http://fortinet.com/partners/partner_program/fpp.html)** **[Fortinet Store](https://store.fortinet.com)** **Products** **[Product Family](http://fortinet.com/products/index.html)** **[Certifications�](http://fortinet.com/aboutus/fortinet_advantages/certifications.html)** **[Awards](http://fortinet.com/aboutus/fortinet_advantages/awards.html)** **[Video Library](http://video.fortinet.com)** **Service & Support** **[FortiCare Support](http://fortinet.com/support/forticare_support/index.html)** **[Support Helpdesk](https://support.fortinet.com)** ----- **[Copyright © 2000 - 2016 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy](http://fortinet.com/aboutus/legal.html)** -----