# The Curious Case of an Unknown Trojan Targeting German-Speaking Users (/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users) by **[Floser Bacurio and Roland Dela Paz | Jun 21, 2016 | Filed in: Security Research (/category/security-research)](https://blog.fortinet.com/category/security-research)** Last week, an unidentified malware (with SHA-256 171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b) was discovered and [circulated (https://twitter.com/JAMESWT_MHT/status/743345104333606912) on Twitter by researcher](https://twitter.com/JAMESWT_MHT/status/743345104333606912) @JAMES_MHT. Many researchers - including us - were unable to identify the malware so we decided to dig a bit further. In this post, we will share our findings about this malware: its targets, technical analysis, the related attacks and the threat actor behind it. ## Targets One of the first things we wanted to know is if this malware has a specific target–thanks to researcher [@benkow_ (https://twitter.com/benkow_) some open directories on the malware C&C were discovered. One](https://twitter.com/benkow_) of the open directories contained logs of victim IPs and computer names: ----- concentration of victims from Germany and Austria: Incidentally, a quick dump of the malware code reveals the string “my_de” and “my_botnet” where the “de” in the first string may refer to Germany’s country code: Due to this and the results of our analysis below, we tagged this malware DELoader (detected as W32/DELoader.A!tr). ## DELoader Analysis In a nutshell, DELoader’s primary purpose is to load additional malware on the system. It does this by initially creating a suspended explorer.exe process: ----- The injected DLL then attempts to download a file from the link hxxp://remembermetoday4.asia/00/b.bin: ----- Upon the time of analysis, the malware C&C was already sinkholed. Code-wise, the malware expects to download a portable executable (PE) file as it validates the MZ header of the downloaded file. If valid, this PE file is then copied to a newly allocated memory: It then searches for instance of a running explorer.exe process where it then injects the downloaded file using _CreateRemoteThread API:_ ----- DELoader’s routine doesn’t tell much about its intentions since its payload simply installs an additional PE file. This PE file could be any malware, or simply an updated copy of itself. Either way, it leads us to the next question – what is the motive behind DELoader? ## Related Attacks The registrant information of the malware C&C, resdomactivationa.asia, leads us to the next clue: The registrant details list someone named Aleksandr Sirofimov from Russia. Of course, we certainly don’t know if Aleksandr is a real person, a stolen identity, an alias for a group, or the ‘nom de guerre’ of an individual cybercriminal. However, the important thing is that these same registrant details have been ----- Below is an overview of some of the related attacks we were able to correlate using the email address sir777alex@outlook.com: From the above graph we can extract the infection chain for DELoader, which is delivered through malicious JavaScript downloaders: Since the JavaScript downloaders come from ZIP files with “invoice” themes, it is more or less sent to victims as an attachment to malicious emails. ----- rd “Aleksandr,” registered malicious domains as early as the 3 quarter of 2015, while DELoader first surfaced by at least February of 2016. One of the malicious tools “Aleksandr” used is a Zeus variation – an infamous banking Trojan whose source code was leaked (http://blog.trendmicro.com/trendlabs-security-intelligence/the-zeus-source-code-leaked now-what/) five years ago. Here is a graph of some of the related Zeus variants out of the many Zeus C&C domains “Aleksandr” registered: An online search of the domain goodvin77787.in leads us to this blog (https://rebsnippets.blogspot.com.br/2015/11/dhl-themed-zeus-campaign-is-using.html). The blog talks about a DHL-themed Zeus campaign targeting German-speaking users where all the related Zeus C&Cs were registered using “Aleksandr’s” details. So we now know that person or persons behind “Aleksandr” have been (or are still) involved in a malicious campaign for stealing banking credentials. True to the nature of DELoader, the previous campaign also targeted German-speaking users. ## Are German-Speaking Users "Aleksandr’s" Only Target? Another domain the individual or group known as “Aleksandr” registered is bestbrowser-2015.biz. This domain was used as a C&C server for Android Marcher variants – an Android banking Trojan sold on Russian underground forums: ----- Interestingly, these trojans were configured to steal credentials from Australian banks. Below is a code snippet from one of the Android Marcher samples: It is worth noting that these Marcher variants surfaced around the same time “Aleksandr” was running Zeus rd th campaigns in the 3 and 4 quarter of 2015. This suggests that he was running his malicious regional campaigns simultaneously. ## Conclusion While DELoader is a relatively new malware, the findings in this research demonstrate that the threat actor behind it has actually been around for quite some time, and has left a substantial amount of fingerprints over the Internet. Historical information shows that the individual or group using the name “Aleksandr” have been involved in bank information theft not only of German-speaking users, but have also targeted Australian users. It is possible that DELoader may be used to aid in similar purposes in the future. We are unable to confirm the legitimacy of “Aleksandr’s” registrant details, or if he (or they) is working with a group. We may, however, have an idea on where “Aleksandr” is located. ----- You might have also noticed that one of the IPs deviated from that area – it resolved to Kiev,Ukraine: This is odd since German is not a common language in Ukraine. So we theorized that this anomalous event may be due to someone testing the DELoader. To test our theory, we looked up the IP in the C&C logs to find more information. Can you find the interesting string in the IP’s computer name below? High five if you found “ALEXANDR”. -= FortiGuard Lion Team = _IOCs_ _DELoader SHA-256 hashes (all detected as W32/DELoader.A!tr):_ _72faed0bc66afe1f42bd7e75b7ea26e0596effac65f67c0ac367a84ec4858891_ _5d759710686db2c5b81c7125aacf70e252de61ab360d95e46cee8a9011c5693f_ _c16281c83378a597cbc4b01410f997e45b89c5d06efada8000ff79c3a24d63ca_ _171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b_ _5afee15a022fcdb12cc791dd02db0ec6beb2e9152b312b2251f2b8ecfe62e03c_ _103c6f425cfcd5eb935136f8c4ce51b9556974545bc6b7947039405164d46b0d_ _73 7b54 290b297 713 0 b07 7 2d822_ _67 d61b9981256464273d63892_ ----- _yberprojects22017.info_ _masterhost8981.asia_ _nov15mailmarketing.in_ _auspostresponse22.asia_ _goodwinn8.asia_ _mastehost12312.asia_ _masterhost1333.asia_ _marketingmas.in.net_ _remembermetoday4.asia_ _startupproject33676.asia_ _bestbrowser-2015.biz_ _marketing5050.asia_ _marketingking878.asia_ _yidckntbrmhuuhmq.com_ _resdomactivationa.asia_ _ukcompanymarketing.asia_ _goodvin77787.in_ _jajajakala8212.asia_ _masterhost122133.asia_ _masterj.in_ _lalalababla.asia_ _responder201922.asia_ _cyberprojects2727.info_ _super-sexy-girl2015.net_ _jxsraxhlccokkrob.com_ _mastehost88832.asia_ _masterlin888.pw_ _mamba777.in_ _copolsox.us_ _10cyberprojects2016.asia_ _startupproject336.asia_ _masterhost122133.asia_ by **[Floser Bacurio and Roland Dela Paz | Jun 21, 2016 | Filed in: Security Research (/category/security-research)](https://blog.fortinet.com/category/security-research)** Tags: [zeus banking trojan (/tag/zeus-banking-trojan)](https://blog.fortinet.com/tag/zeus-banking-trojan) [zbot (/tag/zbot)](https://blog.fortinet.com/tag/zbot) [bank fraud (/tag/bank-fraud)](https://blog.fortinet.com/tag/bank-fraud) [DELoader (/tag/deloader)](https://blog.fortinet.com/tag/deloader) [Android Marcher (/tag/android-marcher)](https://blog.fortinet.com/tag/android-marcher) -----  p, g y y ( [ Previous Post: Securing Critical Infrastructures (/2016/06/21/securing-critical-infrastructures)](https://blog.fortinet.com/2016/06/21/securing-critical-infrastructures) **0 Comments** **[Fortinet Blog](https://disqus.com/home/forums/fortinetblog/)** [1](https://disqus.com/home/inbox/) **Login**  Recommend ### ⤤ Share Sort by Best Start the discussion… Be the first to comment. ### ✉ Subscribe d Add Disqus to your site Add Disqus Add � Privacy Corporate [About Fortinet (http://fortinet.com/aboutus/aboutus.html)](http://fortinet.com/aboutus/aboutus.html) [Investor Relations (http://investor.fortinet.com)](http://investor.fortinet.com/) [Careers (http://jobs.fortinet.com)](http://jobs.fortinet.com/) [Partners (http://fortinet.com/partners/index.html)](http://fortinet.com/partners/index.html) [Global Offices (http://fortinet.com/aboutus/locations.html)](http://fortinet.com/aboutus/locations.html) [Fortinet in the News (http://fortinet.com/aboutus/media/news.html)](http://fortinet.com/aboutus/media/news.html) [Contact Us (http://fortinet.com/contact_us/index.html)](http://fortinet.com/contact_us/index.html) How to Buy [Find a Reseller (http://fortinet.com/partners/reseller_locator/locator.html)](http://fortinet.com/partners/reseller_locator/locator.html) [FortiPartner Program (http://fortinet.com/partners/partner_program/fpp.html)](http://fortinet.com/partners/partner_program/fpp.html) [Fortinet Store (https://store.fortinet.com)](https://store.fortinet.com/) Products [Product Family (http://fortinet.com/products/index.html)](http://fortinet.com/products/index.html) [Certifications (http://fortinet.com/aboutus/fortinet_advantages/certifications.html)](http://fortinet.com/aboutus/fortinet_advantages/certifications.html) [Awards (http://fortinet.com/aboutus/fortinet_advantages/awards.html)](http://fortinet.com/aboutus/fortinet_advantages/awards.html) [Video Library (http://video.fortinet.com)](http://video.fortinet.com/) Service & Support [FortiCare Support (http://fortinet.com/support/forticare_support/index.html)](http://fortinet.com/support/forticare_support/index.html) [Support Helpdesk (https://support.fortinet.com)](https://support.fortinet.com/) [FortiGuard Center (http://fortiguard.com)](http://fortiguard.com/) ----- (/feed) Copyright © 2000 - 2016 Fortinet, Inc. All Rights Reserved. | Terms of Service [(http://fortinet.com/aboutus/legal.html) | Privacy (http://fortinet.com/aboutus/privacy.html)](http://fortinet.com/aboutus/privacy.html) -----