We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A. Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye.

The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates to "social welfare", and is apparently quite popular. Doing a web search for the term "asistenta sociala" on various search engines, we found that the website is ranked within the first two pages of the results.

The website contains various official documents and examples on how they are filled out. It seems to have been hacked, because the original documents have been replaced with malicious executable files (detected as Trojan:BAT/Delosc.A - sample SHA1 759e3dc00415809d0df748e23dcbec1c0265afc1), as seen in Figure 1 below:

DOC replaced with EXE file

Fig. 1 The .doc file is replaced by an .exe file. The word "cerere" translates to "request" or "application")

The malicious files have the same icon as the original documents, so that when they are saved to your computer, you might not notice anything out of the ordinary. In Figure 2 below, the downloaded malicious executables have the icons of an Excel file, a PDF file, and a Word file:

regular icons but EXE files

Fig. 2 The malicious executable using misleading icons.

When run, the malicious executable drops the original document, as in Figure 3. This is probably done to make it appear as if nothing unexpected has occurred:

EXE drops original DOC

Fig. 3 The malicious executable drops the original document.

It also drops a BAT file (also detected as Trojan:BAT/Delosc.A - SHA1 ECD0C54B085BDBBECF25FA44EEF69F9B5F776621) in the Temporary Files folder as "open_file.bat". This file does the rest of the malicious actions.

The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration).

It also proceeds to delete folders (along with the files inside) that contain the following strings: "aplxpert", "indaco" (as previously mentioned), "mondo", "agr", "factur" (invoice), "gami", "multi", "glob", "alocati", "arenda", "social", "assist", "vmg", "asf", "lemne" (wood), "incalz" (heating) on the C, D, E, F, G, H drives, as you can see from the malware code in Figure 4:

malware code

Fig. 4 The malware code showing the strings.

Based on these actions, it seems like if you're working for a Romanian government institution and your computer gets infected by this malware, you may no longer be able to use either of these tools. In addition, folders containing files pertinent to your work may be deleted if you named your folders using any of the mentioned strings.

Aside from government employees, it also looks like this malware could cause trouble for a user who is searching for documents related to social welfare. For example, if you're looking for help on how to fill out a form for heating assistance, you might end up inadvertently having files deleted from your computer if you saved them within a folder that uses any of these strings.

The website owner has been contacted and the malicious files have been removed.

Replacing the original documents with malicious executables is something we have seen before. But this trojan is deleting files that the user seems to be looking for help for, while at the same time posing as those very files. In the process, actual important official documents may be deleted, thus posing a very real threat to users.

We recommend that you always pay attention to the downloaded files and look out for files that have the icon for one file type but the extension for another. And as always, run an antivirus solution to protect your computer against these kinds of threats. For website owners, make sure you take steps to harden your website so that you can protect its integrity.

--

Andrei Saygo && Daniel Radu

MMPC Dublin