Dorifel botnet attack hits Dutch local authorities hard

The virus infected at least 20 government systems, according to the Dutch National Cyber Security Center

At least 30 local governments, universities and companies have had their systems infected with the XDocCrypt/Dorifel virus in the Netherlands since Wednesday, said the Dutch National Cyber Security Center (NCSC) on Friday. The virus was spread via a botnet called Citadel, which uses code that is based on the Zeus botnet.

The virus hit 3,000 machines globally, and 90 percent of those involved organizations based in the Netherlands, said Kaspersky Lab Expert David Jacoby in a blog post. "We have seen government departments and hospitals being victims," he wrote, adding that other countries with a large number of detected infections were Denmark, the Philippines, Germany, the U.S. and Spain.

It remains unclear if the attacks are specifically targeting governments and high profile companies in the Netherlands, said Jacoby. "This is nothing that we can confirm, but for some reason the vast majority of all the victims come from Netherlands."

The cities of Den Bosch, Venlo, Weert and Borsele are among the infected local Dutch governments, as well as Tilburg, Almere and the province of North-Holland among others, Dutch IDG news site Webwereld reported. The virus that was spread by the Citadel botnet is called Dorifel and infects Microsoft Word and Microsoft Excel documents as well as executable files, according to the NCSC. Microsoft calls the virus Quervar.B and notes that it has been observed contacting remote hosts in order to download files onto computers.

The virus spread via systems that were infected with Citadel for some time, infecting thousands of documents, the NCSC said. Dorifel is known as a banking Trojan designed to steal banking data and log-in credentials, it added. The virus damages Office files, rendering them unreadable via encryption, but the files are not destroyed.

If a user opens the file the virus can spread further via connected network discs, the NCSC said. The infection is activated after a system reboot and then starts looking for Office files.

The National Cyber Security Center identified the IP (Internet Protocol) addresses used for spreading the virus and advised system administrators to block access on firewalls, proxies and routers to IP addresses, and the domains and to avoid infections.

While most municipalities and the province of North Holland stated on Thursday they had solved the problems, Dorifel nevertheless managed to download new malware to 100 clients on Thursday evening, according to the Dutch security company Fox-IT.

"Today we received a task for xdoccrypt [Dorifel] which did not download the suggested Citadel, but instead downloaded the Hermes banking Trojan from which we suggested to block in our initial post," wrote Michael Sandee, principal security expert at Fox-IT in a comment on the company's blog on Thursday. "The task was rolled out to only 100 clients suggesting that the actor is only testing the new Hermes bot," he added.

None of the 40 most used antivirus programs are currently able to detect the Hermes Trojan, according to VirusTotal, a service that analyzes suspicious files and URLs, Sandee noted in his comment.

Hermes has the ability to perform distributed-denial-of-service (DDoS) attacks and can execute remote shell attacks that can be used to run arbitrary commands on a remote computer, Fox-IT's founder and director Ronald Prins added on Twitter. The central machine of the Citadel botnet that is active in the Netherlands is located in the Ukraine, according to Prins.

The Citadel botnet, which was built on Zeus code, was discovered in December and provides AES encryption for configuration files as well as the possibility to block antivirus sites on infected computers and the ability to block automated botnet scanners.

Dutch citizens report that they are being harassed by phone spammers speaking poor English who pose as Microsoft employees offering to help remove the Dorifel virus, the NCSC said.

The callers try to sell fake and pricey antivirus products and ask for credit card data. People who go along with this trick are at risk of giving the attackers control of their PC, the NCSC warned.

The Dorifel virus is "under control" in the Netherlands, but there are some organizations that are still cleaning up their files and systems, the NCSC said on Friday. The IP address used by the botnet was blocked in cooperation with ISPs to prevent further spreading of the virus, it said, adding that since then it has received no additional virus reports.

"The NCSC expects there is a big chance that the worst is over but does not rule out the possibility that there will be more reports," the organization said.

Kasperky's Jacoby notes that Dorifel is active and infections are still increasing.

Additional reporting by Loek Essers in Amsterdam

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by René Schoemaker

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place