Think Information. Think Security.
While much of the world was focused yesterday on the Gauss malware saga, there was another interesting infection happening, mainly in the Netherlands, that researchers think may be related to the Zeus andCitadel attacks, though the motivation behind the attack is somewhat of a mystery. The new malware, called Dorifel, has infected thousands of businesses in the Netherlands and Europe and researchers say that it's stealing online banking data and the crew behind it may be working on some other attack campaigns, as well.

Dorifel is being distributed through phishing emails with a link, which, when clicked, will take the user to a site from which a binary is downloaded. The malware then downloads a secondary component that encrypts the files on the infected machine. This is the kind of behavior that one might expect from a piece of ransomware, such as Reveton, but there is no demand for payment from the victim. The malware also will look for network shares and then attempt to encrypt files found on those, as well.

Researchers looking at the Dorifel infections found that, aside from the odd concentration of infections in the Netherlands, there are a couple of other odd components to the attack campaign. David Jacoby, a malware researcher at Kaspersky Lab, traced the malware back to the hosting servers, and found that not only was Dorifel being hosted on there, there also were several other pieces of malware being hosted on those boxes, along with a lot of stolen financial information.

Along with the stolen financial data, which included credit card numbers, CVVs and victims' names, the servers also contained exploits for a pair of Java vulnerabilities. One of those flaws, CVE-2012-0507, has been used in a variety of targeted attacks and other malware campaigns. 

Analysts at Fox-IT looked at the malware and attack techniques and saw indications that the attack may be somehow related to the Zeus and Citadel malware.

Jacoby saw some of the same indications in his research, as well, but nothing completely definitive about the link between Dorifel and Zeus or Citadel. 

The large majority of the infections from Dorifel have been found in the Netherlands so far, but there also are infected machines in other European countries, including Denmark, and a handful in the United States, too.

Cross-posted from: Threat Post

Leave a Reply.