Exprez.B Train from Spain to Holland, a.k.a. Dorifel

Thanks to Denis Carmody for his assistance with this research.

In June we blogged about a new version of the threat family that targeted Spanish companies and institutions named Trojan.Exprez.B. More recently, we have encountered a new version of Trojan.Exprez.B that targets companies in The Netherlands and Denmark. It is still the same threat, but with new updates and new targets. The threat is also referred to as XDocCrypt and Dorifel.

As described in our previous blog, Trojan.Exprez.B was able to spread through removable and network drives and to infect executables and Office documents—so what are the August updates?

Previously, the Trojan was infecting only .exe, .doc, and .docx files, whereas now .xls and .xlsx documents have also been added to the list of targeted files.

Furthermore, the samples that we analyzed in June contained an obfuscated URL pointing to an image file, which has also been updated:

  • https://forum.perf[REMOVED]acy.com/image.php?u=4140 (The previous URL)
  • https://forum.4g[REMOVED]e.com/image.php?u=18736 (The new URL)

For our curious readers, the images can be seen below:

The images themselves are not malicious, but if we examine them carefully, we can determine that they have been used as steganographic content in order to send some strings to the threats. If we take the steganographic content and use one of the de-obfuscation algorithms of the threat, we can retrieve the list of URLs sent to the threat that are to be used as future downloads. Fortunately, these URLs seem to have been deactivated and now point to legitimate Web pages.

The attackers have also updated the mechanism that ensures the persistency of the file after the compromised computer restarts.

The previous version of the threat would copy itself to the following location, which is a .dll file that would be loaded by the Operating System:
%Windir%\xpsp2res.dll

The new version copies itself as well as a link to the threat to randomly named folders and file names such as:

  • %UserProfile%\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe
  • %UserProfile%\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe.lnk

For example:

  • %UserProfile%\Application Data\K20SNM\K0HK2R.exe
  • %UserProfile%\Application Data\K20SNM\K0HK2R.exe.lnk

The Trojan then creates the following registry entry so that the .lnk file gets executed whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%USERPROFILE%\APPLIC~1\K20SNM\K0HK2R~1.LNK"

The mechanism to infect files remains unchanged: make a copy of the threat, encrypt the user's file, and append it to the new threat.

As always, Symantec customers will be protected against this new threat family. Droppers of the threat will be detected as Trojan.Exprez.B!gen2 and infected files will be detected as Trojan.Exprez.B. The engine will recover and disinfect files, but users will still need to rename the extension of the file. For example, if a repaired file has the following name:
[ORIGINAL FILE NAME]xcod.scr

It would need to be renamed as the following:
[ORIGINAL FILE NAME].docx