The Dorifel malware has infected over 3,000 computers worldwide, attempting to steal sensitive information, encrypt files and install backdoors. While victims can be found in countries such as Denmark, the US, Philippines, Germany and Spain, around 90% of them are actually companies and individuals from the Netherlands.
According to Kaspersky experts, the Trojan is spread via email, using a “right to left” security hole to mask a malicious attachment’s real extension.
During their analysis, researchers have noticed that the server that hosts the malware also stores other malevolent components, not just Dorifel itself. Files containing financial information, new Java exploits – possibly used for drive-by-download attacks -, webinjects, admin panels, rogue antiviruses and other malware are among the additional components.
An analysis of Dorifel’s command and control server has revealed that it’s poorly configured, hinting to the fact that the group that runs the operation is not very skilled. This may also indicate that the individuals who developed the malware aren’t the same as the ones who are currently using it.
While at the moment it’s not certain if the Trojan has been designed to target particular government or private organizations from the Netherlands, most of the victims are located here. However, infections have also been recorded in Poland, Romania, Italy, India, Israel, UK, France, and Canada.
The credit card details that were identified on Dorifel’s server indicate that there may be a connection with the infamous ZeuS.
This is not the only piece of malware that has been unveiled by Kaspersky. Yesterday, they released the details on Gauss
, a nation-sponsored banking malware that’s most likely based on Flame’s platform.
Most of its victims are in Lebanon, and it comes with a mysterious encrypted payload that’s activated only in certain circumstances.