A Matter of Life and Delf? Malware on the Fiddle

There’s been a certain amount of buzz in the past couple of days about messages claiming to link to Wire Transfer information, but actually related to a Trojan commonly called Delf or Doneltart. ESET is detecting the examples we’ve been seeing as a variant of Win32/TrojanDownloader.Delf.OZG.

The messages generally look something like this (at least, all the samples I’ve seen have). The subject field takes the form:

Wire Transfer Info for <1stname> <2ndname>

The message looks like this:

For more details please download the invoice found on this link:

The link goes to a domain in Italy somewhat appropriately named after a region historically associated with violin making, or a subdomain thereof. The fiddle in this case, of course, is that the link is to a Trojan Downloader, this being a very common payload for this family of malware, though some members have been seen to redirect web traffic or mess about with applications.

These messages may look familiar: the gang behind this malware family seems rather fond of social engineering around wire transfers, as a report going back to June from the Internet Storm Center indicates. That’s because in this case at least, quite a few of the targeted domains are financial institutions, and on that occasion the message was along the lines of:

Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.

Detection of this wave of malware seems to be reasonable, in general. Here’s a VirusTotal report Pierre-Marc has sent me relating to one of the samples he’s seen (23 detections out of 41 products):


The hit rate varies between samples, though: I’ve seen reports as low as 16 for some, but NOD32 hasn’t failed to detect any of the samples I’ve tried subsequently (half a dozen or so, so far). That doesn’t, of course, mean I can guarantee we have 100% detection!

The really encouraging thing about this issue has been the generous exchange of information between researchers on certain specialist lists. Because of the nature of those lists, it’s best if I don’t name names (apart from Pierre-Marc of course!), but you guys know who you are. :)

Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.