by RSS Floser Bacurio and Roland Dela Paz  |  Jun 21, 2016  |  Filed in: Security Research

Last week, an unidentified malware (with SHA-256 171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b) was discovered and circulated on Twitter by researcher @JAMES_MHT. Many researchers - including us - were unable to identify the malware so we decided to dig a bit further.

In this post, we will share our findings about this malware: its targets, technical analysis, the related attacks and the threat actor behind it.

Targets

One of the first things we wanted to know is if this malware has a specific target–thanks to researcher @benkow_ some open directories on the malware C&C were discovered. One of the open directories contained logs of victim IPs and computer names:

While there are not that many IP victims logged on this particular C&C, a look-up on ipintel.io showed a concentration of victims from Germany and Austria:

Incidentally, a quick dump of the malware code reveals the string “my_de” and “my_botnet” where the “de” in the first string may refer to Germany’s country code:

Due to this and the results of our analysis below, we tagged this malware DELoader (detected as W32/DELoader.A!tr).

DELoader Analysis

In a nutshell, DELoader’s primary purpose is to load additional malware on the system. It does this by initially creating a suspended explorer.exe process:

It then proceeds to decrypt an embedded DLL from its body and inject it into explorer.exe:

The injected DLL then attempts to download a file from the link hxxp://remembermetoday4.asia/00/b.bin:

Upon the time of analysis, the malware C&C was already sinkholed. Code-wise, the malware expects to download a portable executable (PE) file as it validates the MZ header of the downloaded file. If valid, this PE file is then copied to a newly allocated memory:

It then searches for instance of a running explorer.exe process where it then injects the downloaded file using CreateRemoteThread API:

DELoader’s routine doesn’t tell much about its intentions since its payload simply installs an additional PE file. This PE file could be any malware, or simply an updated copy of itself.

Either way, it leads us to the next question – what is the motive behind DELoader?

Related Attacks

The registrant information of the malware C&C, resdomactivationa.asia, leads us to the next clue:

The registrant details list someone named Aleksandr Sirofimov from Russia. Of course, we certainly don’t know if Aleksandr is a real person, a stolen identity, an alias for a group, or the ‘nom de guerre’ of an individual cybercriminal. However, the important thing is that these same registrant details have been frequently used in the past to register malicious domains.

Below is an overview of some of the related attacks we were able to correlate using the email address sir777alex@outlook.com:

From the above graph we can extract the infection chain for DELoader, which is delivered through malicious JavaScript downloaders:

Since the JavaScript downloaders come from ZIP files with “invoice” themes, it is more or less sent to victims as an attachment to malicious emails.

Furthermore, the above correlation enabled us to identify that the actor (or actors), using the name “Aleksandr,” registered malicious domains as early as the 3rd quarter of 2015, while DELoader first surfaced by at least February of 2016.

One of the malicious tools “Aleksandr” used is a Zeus variation – an infamous banking Trojan whose source code was leaked five years ago. Here is a graph of some of the related Zeus variants out of the many Zeus C&C domains “Aleksandr” registered:

An online search of the domain goodvin77787.in leads us to this blog. The blog talks about a DHL-themed Zeus campaign targeting German-speaking users where all the related Zeus C&Cs were registered using “Aleksandr’s” details.

So we now know that person or persons behind “Aleksandr” have been (or are still) involved in a malicious campaign for stealing banking credentials. True to the nature of DELoader, the previous campaign also targeted German-speaking users.

Are German-Speaking Users "Aleksandr’s" Only Target?

Another domain the individual or group known as “Aleksandr” registered is bestbrowser-2015.biz. This domain was used as a C&C server for Android Marcher variants – an Android banking Trojan sold on Russian underground forums:

Interestingly, these trojans were configured to steal credentials from Australian banks. Below is a code snippet from one of the Android Marcher samples:

It is worth noting that these Marcher variants surfaced around the same time “Aleksandr” was running Zeus campaigns in the 3rd and 4th quarter of 2015. This suggests that he was running his malicious regional campaigns simultaneously.

Conclusion

While DELoader is a relatively new malware, the findings in this research demonstrate that the threat actor behind it has actually been around for quite some time, and has left a substantial amount of fingerprints over the Internet.

Historical information shows that the individual or group using the name “Aleksandr” have been involved in bank information theft not only of German-speaking users, but have also targeted Australian users. It is possible that DELoader may be used to aid in similar purposes in the future.

We are unable to confirm the legitimacy of “Aleksandr’s” registrant details, or if he (or they) is working with a group. We may, however, have an idea on where “Aleksandr” is located.

Earlier, we showed that the geolocations of DELoader victims were concentrated in Germany and Austria. You might have also noticed that one of the IPs deviated from that area – it resolved to Kiev,Ukraine:

This is odd since German is not a common language in Ukraine. So we theorized that this anomalous event may be due to someone testing the DELoader.

To test our theory, we looked up the IP in the C&C logs to find more information. Can you find the interesting string in the IP’s computer name below?

High five if you found “ALEXANDR”.

-= FortiGuard Lion Team =-

IOCs

DELoader SHA-256 hashes (all detected as W32/DELoader.A!tr):

72faed0bc66afe1f42bd7e75b7ea26e0596effac65f67c0ac367a84ec4858891
5d759710686db2c5b81c7125aacf70e252de61ab360d95e46cee8a9011c5693f
c16281c83378a597cbc4b01410f997e45b89c5d06efada8000ff79c3a24d63ca
171693ab13668c6004a1e08b83c9877a55f150aaa6d8a624c3f8ffc712b22f0b
5afee15a022fcdb12cc791dd02db0ec6beb2e9152b312b2251f2b8ecfe62e03c
103c6f425cfcd5eb935136f8c4ce51b9556974545bc6b7947039405164d46b0d
cec73c7b54c290b297a713e0eb07c7c2d822cc67ed61b9981256464273d63892

Domains registered by sir777alex@outlook.com:

yberprojects22017.info
masterhost8981.asia
nov15mailmarketing.in
auspostresponse22.asia
goodwinn8.asia
mastehost12312.asia
masterhost1333.asia
marketingmas.in.net
remembermetoday4.asia
startupproject33676.asia
bestbrowser-2015.biz
marketing5050.asia
marketingking878.asia
yidckntbrmhuuhmq.com
resdomactivationa.asia
ukcompanymarketing.asia
goodvin77787.in
jajajakala8212.asia
masterhost122133.asia
masterj.in
lalalababla.asia
responder201922.asia
cyberprojects2727.info
super-sexy-girl2015.net
jxsraxhlccokkrob.com
mastehost88832.asia
masterlin888.pw
mamba777.in
copolsox.us
10cyberprojects2016.asia
startupproject336.asia
masterhost122133.asia

 

by RSS Floser Bacurio and Roland Dela Paz  |  Jun 21, 2016  |  Filed in: Security Research