There's been a certain amount of buzz in the past couple of days about messages claiming to link to Wire Transfer information, but actually related to a Trojan commonly called Delf or Doneltart. ESET is detecting the examples we've been seeing as a variant of Win32/TrojanDownloader.Delf.OZG.

The messages generally look something like this (at least, all the samples I've seen have). The subject field takes the form:

Wire Transfer Info for <1stname> <2ndname>

The message looks like this:

For more details please download the invoice found on this link:
[http://]<domain></folders>/transfer.php?name=<1stname><2ndname>

The link goes to a domain in Italy somewhat appropriately named after a region historically associated with violin making, or a subdomain thereof. The fiddle in this case, of course, is that the link is to a Trojan Downloader, this being a very common payload for this family of malware, though some members have been seen to redirect web traffic or mess about with applications.

These messages may look familiar: the gang behind this malware family seems rather fond of social engineering around wire transfers, as a report going back to June from the Internet Storm Center indicates. That's because in this case at least, quite a few of the targeted domains are financial institutions, and on that occasion the message was along the lines of:

Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.

Detection of this wave of malware seems to be reasonable, in general. Here's a VirusTotal report Pierre-Marc has sent me relating to one of the samples he's seen (23 detections out of 41 products):

http://www.virustotal.com/analisis/57b19e0a576be2d0493a00893cbd35e0cb4c278af106e06d9c906ab7028ab73a-1249334843

The hit rate varies between samples, though: I've seen reports as low as 16 for some, but NOD32 hasn't failed to detect any of the samples I've tried subsequently (half a dozen or so, so far). That doesn't, of course, mean I can guarantee we have 100% detection!

The really encouraging thing about this issue has been the generous exchange of information between researchers on certain specialist lists. Because of the nature of those lists, it's best if I don't name names (apart from Pierre-Marc of course!), but you guys know who you are. :)

David Harley
Director of Malware Intelligence