Ukrainian Group May Be Behind New DELoader Malware

June 24, 2016

A joint effort from multiple infosec researchers has uncovered more details about a mysterious new malware variant that appeared during the past weeks.

Named DELoader because it was seen targeting only users in German-speaking (DE) countries such as Germany and Austria, the trojan is a malware dropper, also called a malware loader, because its sole purpose is to “drop/load” other malware families on infected systems.

The researchers who analyzed the trojan say DELoader infects victims via malicious JavaScript files packed inside ZIP files delivered via spam email.

DELoader’s C&C server wasn’t secured, so researchers took a peek

When analyzing this malware, researchers discovered its C&C server, the IP address to which DELoader connects and asks for new instructions or the download URLs of the malware it needs to download for the infection’s second phase.

While looking at this C&C server, one researcher stumbled upon some open-access directories accessible via the Internet. Here, he found a log that contained the IP addresses of all targets infected with the DELoader malware.

Read full story…