# The Curious Case of an Unknown Trojan Targeting German-Speaking Users **[fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html](https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html)** June 21, 2016 Threat Research By [Floser Bacurio and](https://www.fortinet.com/blog/search?author=Floser+Bacurio) [Roland Dela Paz | June 21, 2016](https://www.fortinet.com/blog/search?author=Roland+Dela+Paz) Last week, an unidentified malware (with SHA-256 171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b) was [discovered and circulated on Twitter by researcher @JAMES_MHT. Many researchers -](https://twitter.com/JAMESWT_MHT/status/743345104333606912) including us - were unable to identify the malware so we decided to dig a bit further. In this post, we will share our findings about this malware: its targets, technical analysis, the related attacks and the threat actor behind it. ## Targets ----- One of the first things we wanted to know is if this malware has a specific target–thanks to [researcher @benkow_ some open directories on the malware C&C were discovered. One of](https://twitter.com/benkow_) the open directories contained logs of victim IPs and computer names: While there are not that many IP victims logged on this particular C&C, a look-up on ipintel.io showed a concentration of victims from Germany and Austria: Incidentally, a quick dump of the malware code reveals the string “my_de” and “my_botnet” where the “de” in the first string may refer to Germany’s country code: ----- Due to this and the results of our analysis below, we tagged this malware DELoader (detected as W32/DELoader.A!tr). ## DELoader Analysis In a nutshell, DELoader’s primary purpose is to load additional malware on the system. It does this by initially creating a suspended explorer.exe process: It then proceeds to decrypt an embedded DLL from its body and inject it into explorer.exe: ----- The injected DLL then attempts to download a file from the link hxxp://remembermetoday4.asia/00/b.bin: ----- Upon the time of analysis, the malware C&C was already sinkholed. Code-wise, the malware expects to download a portable executable (PE) file as it validates the MZ header of the downloaded file. If valid, this PE file is then copied to a newly allocated memory: ----- It then searches for instance of a running explorer.exe process where it then injects the downloaded file using CreateRemoteThread API: ----- DELoader’s routine doesn’t tell much about its intentions since its payload simply installs an additional PE file. This PE file could be any malware, or simply an updated copy of itself. Either way, it leads us to the next question – what is the motive behind DELoader? ## Related Attacks The registrant information of the malware C&C, resdomactivationa.asia, leads us to the next clue: ----- The registrant details list someone named Aleksandr Sirofimov from Russia. Of course, we certainly don’t know if Aleksandr is a real person, a stolen identity, an alias for a group, or the ‘nom de guerre’ of an individual cybercriminal. However, the important thing is that these same registrant details have been frequently used in the past to register malicious domains. Below is an overview of some of the related attacks we were able to correlate using the email address sir777alex@outlook.com: From the above graph we can extract the infection chain for DELoader, which is delivered through malicious JavaScript downloaders: ----- Since the JavaScript downloaders come from ZIP files with “invoice” themes, it is more or less sent to victims as an attachment to malicious emails. Furthermore, the above correlation enabled us to identify that the actor (or actors), using the name “Aleksandr,” registered malicious domains as early as the 3 quarter of 2015, whilerd DELoader first surfaced by at least February of 2016. One of the malicious tools “Aleksandr” used is a Zeus variation – an infamous banking [Trojan whose source code was leaked five years ago. Here is a graph of some of the related](http://blog.trendmicro.com/trendlabs-security-intelligence/the-zeus-source-code-leaked-now-what/) Zeus variants out of the many Zeus C&C domains “Aleksandr” registered: ----- [An online search of the domain goodvin77787.in leads us to this blog. The blog talks about](https://rebsnippets.blogspot.com.br/2015/11/dhl-themed-zeus-campaign-is-using.html) a DHL-themed Zeus campaign targeting German-speaking users where all the related Zeus C&Cs were registered using “Aleksandr’s” details. So we now know that person or persons behind “Aleksandr” have been (or are still) involved in a malicious campaign for stealing banking credentials. True to the nature of DELoader, the previous campaign also targeted German-speaking users. ## Are German-Speaking Users "Aleksandr’s" Only Target? Another domain the individual or group known as “Aleksandr” registered is bestbrowser**2015.biz. This domain was used as a C&C server for Android Marcher variants – an** Android banking Trojan sold on Russian underground forums: Interestingly, these trojans were configured to steal credentials from Australian banks. Below is a code snippet from one of the Android Marcher samples: ----- It is worth noting that these Marcher variants surfaced around the same time Aleksandr was running Zeus campaigns in the 3 and 4 quarter of 2015. This suggests that he wasrd th running his malicious regional campaigns simultaneously. ## Conclusion While DELoader is a relatively new malware, the findings in this research demonstrate that the threat actor behind it has actually been around for quite some time, and has left a substantial amount of fingerprints over the Internet. Historical information shows that the individual or group using the name “Aleksandr” have been involved in bank information theft not only of German-speaking users, but have also targeted Australian users. It is possible that DELoader may be used to aid in similar purposes in the future. We are unable to confirm the legitimacy of “Aleksandr’s” registrant details, or if he (or they) is working with a group. We may, however, have an idea on where “Aleksandr” is located. Earlier, we showed that the geolocations of DELoader victims were concentrated in Germany and Austria. You might have also noticed that one of the IPs deviated from that area – it resolved to Kiev,Ukraine: This is odd since German is not a common language in Ukraine. So we theorized that this anomalous event may be due to someone testing the DELoader. To test our theory, we looked up the IP in the C&C logs to find more information. Can you find the interesting string in the IP’s computer name below? ----- High five if you found “ALEXANDR”. -= FortiGuard Lion Team = _IOCs_ _DELoader SHA-256 hashes (all detected as W32/DELoader.A!tr):_ _72faed0bc66afe1f42bd7e75b7ea26e0596effac65f67c0ac367a84ec4858891_ _5d759710686db2c5b81c7125aacf70e252de61ab360d95e46cee8a9011c5693f_ _c16281c83378a597cbc4b01410f997e45b89c5d06efada8000ff79c3a24d63ca_ _171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b_ _5afee15a022fcdb12cc791dd02db0ec6beb2e9152b312b2251f2b8ecfe62e03c_ _103c6f425cfcd5eb935136f8c4ce51b9556974545bc6b7947039405164d46b0d_ _cec73c7b54c290b297a713e0eb07c7c2d822cc67ed61b9981256464273d63892_ _Domains registered by sir777alex@outlook.com:_ _yberprojects22017.info_ _masterhost8981.asia_ _nov15mailmarketing.in_ _auspostresponse22.asia_ _goodwinn8.asia_ _mastehost12312.asia_ _masterhost1333.asia_ _marketingmas.in.net_ _remembermetoday4.asia_ _startupproject33676.asia_ _bestbrowser-2015.biz_ _marketing5050.asia_ _marketingking878.asia_ _yidckntbrmhuuhmq.com_ _resdomactivationa.asia_ _ukcompanymarketing.asia_ _goodvin77787.in_ _jajajakala8212.asia_ _masterhost122133.asia_ _masterj.in_ _lalalababla.asia_ _responder201922.asia_ ----- _cyberprojects2727.info_ _super-sexy-girl2015.net_ _jxsraxhlccokkrob.com_ _mastehost88832.asia_ _masterlin888.pw_ _mamba777.in_ _copolsox.us_ _10cyberprojects2016.asia_ _startupproject336.asia_ _masterhost122133.asia_ ## Related Posts Copyright © 2022 Fortinet, Inc. All Rights Reserved [Terms of ServicesPrivacy Policy](https://www.fortinet.com/corporate/about-us/legal.html) | Cookie Settings -----