A Matter of Life and Delf? Malware on the Fiddle
There’s been a certain amount of buzz in the past couple of days about messages claiming to link to Wire Transfer information, but actually related to a Trojan commonly called Delf or Doneltart. ESET is detecting the examples we’ve been seeing as a variant of Win32/TrojanDownloader.Delf.OZG.
The messages generally look something like this (at least, all the samples I’ve seen have). The subject field takes the form:
Wire Transfer Info for <1stname> <2ndname>
The message looks like this:
For more details please download the invoice found on this link:
[http://]<domain></folders>/transfer.php?name=<1stname><2ndname>
The link goes to a domain in Italy somewhat appropriately named after a region historically associated with violin making, or a subdomain thereof. The fiddle in this case, of course, is that the link is to a Trojan Downloader, this being a very common payload for this family of malware, though some members have been seen to redirect web traffic or mess about with applications.
These messages may look familiar: the gang behind this malware family seems rather fond of social engineering around wire transfers, as a report going back to June from the Internet Storm Center indicates. That’s because in this case at least, quite a few of the targeted domains are financial institutions, and on that occasion the message was along the lines of:
Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.
Detection of this wave of malware seems to be reasonable, in general. Here’s a VirusTotal report Pierre-Marc has sent me relating to one of the samples he’s seen (23 detections out of 41 products):
The hit rate varies between samples, though: I’ve seen reports as low as 16 for some, but NOD32 hasn’t failed to detect any of the samples I’ve tried subsequently (half a dozen or so, so far). That doesn’t, of course, mean I can guarantee we have 100% detection!
The really encouraging thing about this issue has been the generous exchange of information between researchers on certain specialist lists. Because of the nature of those lists, it’s best if I don’t name names (apart from Pierre-Marc of course!), but you guys know who you are. 
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Leave a Reply
- David Harley (770)
- Randy Abrams (437)
- Cameron Camp (102)
- ESET Research (61)
- Pierre-Marc Bureau (50)
- Stephen Cobb (47)
- Aryeh Goretsky (30)
- Paul Laudanski (17)
- Jeff Debrosse (14)
- Andrew Lee (14)
- Robert Lipovsky (10)
- Sebastian Bortnik (9)
- Dan Clark (8)
- Sébastien Duquette (5)
- Tasneem Patanwala (3)
- Peter Stancik (2)
- Andrea Kokavcova (1)
- David Carnevale (1)
- C. Nicholas Burnett (1)
RSS
