While much of the world was focused yesterday on the Gauss malware saga, there was another interesting infection happening, mainly in the Netherlands, that researchers think may be related to the Zeus and Citadel attacks, though the motivation behind the attack is somewhat of a mystery. The new malware, called Dorifel, has infected thousands of businesses in the Netherlands and Europe and researchers say that it’s stealing online banking data and the crew behind it may be working on some other attack campaigns, as well.
Dorifel is being distributed through phishing emails with a link, which, when clicked, will take the user to a site from which a binary is downloaded. The malware then downloads a secondary component that encrypts the files on the infected machine. This is the kind of behavior that one might expect from a piece of ransomware, such as Reveton, but there is no demand for payment from the victim. The malware also will look for network shares and then attempt to encrypt files found on those, as well.
Researchers looking at the Dorifel infections found that, aside from the odd concentration of infections in the Netherlands, there are a couple of other odd components to the attack campaign. David Jacoby, a malware researcher at Kaspersky Lab, traced the malware back to the hosting servers, and found that not only was Dorifel being hosted on there, there also were several other pieces of malware being hosted on those boxes, along with a lot of stolen financial information.
“This is a very strong indication that the gang behind the Dorifel malware was also doing some other really nasty scams. We were also able to download other samples of various malware which is still being investigated by the malware analysts at Kaspersky Lab,” Jacoby said.
Along with the stolen financial data, which included credit card numbers, CVVs and victims’ names, the servers also contained exploits for a pair of Java vulnerabilities. One of those flaws, CVE-2012-0507, has been used in a variety of targeted attacks and other malware campaigns.
Analysts at Fox-IT looked at the malware and attack techniques and saw indications that the attack may be somehow related to the Zeus and Citadel malware.
“The big question is of course, what is the purpose of this Trojan, one might suspect it is ransomware, but without a ransom note I guess that would be a no go. The fact that it infects shares means that it will spread to other systems that open the infected ‘documents’ on a share. Additionally HTTP based connection functionality suggests that the Trojan has additional download tasks and likely executes additional payloads on systems that have been infected. Given the Modus Operandi of this operation, it is likely that it downloads the Citadel Trojan and this entire attack was just to increase the size of the botnet through spreading of network shares. Currently however there appears to be no task defined and no additional malware is downloaded,” the company said in its analysis.
Jacoby saw some of the same indications in his research, as well, but nothing completely definitive about the link between Dorifel and Zeus or Citadel.
“As mentioned before, we did find some interesting financial information, which could be an indication that this malware scam is related to for example ZeuS/Citadel, but since we have not yet identified any malware related to ZeuS/Citadel we cannot confirm it. All we can confirm is that the same server does store stolen financial information. We are still investigating this,” he said.
The large majority of the infections from Dorifel have been found in the Netherlands so far, but there also are infected machines in other European countries, including Denmark, and a handful in the United States, too.