MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 271: UNDERSTANDING THE RISK OF SPY.DELF TROJAN

Reference Number ACG-CSB 102422271

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY 

Spy.Delf is a high-risk trojan that infiltrates systems and records sensitive data. According to research, some variants of this malware are distributed via a bogus Adobe Acrobat Reader installer.

However, trojan-type viruses are frequently distributed via spam email campaigns that disseminate malicious attachments (usually MS Office documents) that silently download and install malware into the system.

 The Spy.Delf Trojan is distributed by the fake Adobe Acrobat Reader installer simply by downloading the trojan rather than the Acrobat Reader. Spy.Delf Trojan is programmed to monitor victims' email logins. Information is gathered from a variety of email clients, such as Gmail Notifier, Group Mail, Pop Peeper, and others.

Although some Spy.Delf Trojan variants hijack cryptowallets and steal funds in different cryptocurrencies (Bitcoins, etc.), data is transferred to a remote server controlled by cybercriminals. The presence of this malware might result in a number of problems. First off, hackers can exploit the emails they have collected to steal your identity and spread spam.

For instance, criminals can use your identity to pose as you and solicit "loans" from friends. Additionally, these individuals may steal a variety of cryptocurrencies worth thousands of dollars. As previously indicated, the Spy.Delf Trojan can result in serious privacy violations and huge financial losses.

Since the Spy.Delf Trojan's related application is named "svchost.exe" and is located in the "%AppData%" folder, it is difficult to detect its presence. It should be noted that the legal "svchost.exe" file found in the system folder of the Windows Operating System makes it impossible to pinpoint the location and author of the Spy.Delf Trojan.

A number of Windows Registry entries are also created by the Spy.Delf Trojan and started automatically each time Windows starts. We strongly encourage you to run a thorough system scan with a reliable anti-virus/anti-spyware suite and remove any threats found if you think your machine is infected with the Spy.Delf Trojan.

Spy.Delf Trojan is similar to Adwind, FormBook, Emotet, TrickBot, LokiBot, and a slew of other trojan-like viruses.

These viruses are also programmed to collect personal information. However, in some cases, trojans also spread other malware (usually ransomware), and their presence may result in chain system infections. Trojans are a serious threat to your privacy and computer security.

RECOMMENDATION

            The public are advised to follow these tips in order to understand the risks of Spy.Delf Trojan attack:

  • Install a good antivirus program. Your first line of defense should be antivirus and anti-malware software, and it's critical to install something powerful enough for the job. These programs scan your device for problems and notify you if one occurs. Some will quarantine and remove any threats from your device as well.
  • Third-party downloads should be avoided. Any download could pose a risk. Websites, ads, and messages with automatic downloads frequently conceal malware. Avoid clicking on any banners or suspicious links, avoid using shortened URLs, and think twice before allowing any download.
  • Stick to reliable sources. Always use trusted brands, whether it's a website, correspondence, or software. If companies are tried and tested by the general public, you will know if there are any issues. On the internet, reputation is everything, so always read independent reviews.
  • Install a firewall. Firewalls filter data entering your device from the internet. While most operating systems include a built-in firewall, a hardware firewall is also recommended for complete protection.

For additional information, please refer to the following websites:

  • https://www.safetydetectives.com/blog/what-is-a-trojan-horse-and-how-to-protect-against-it/
  • https://malware.driversol.com/spydelf-trojan-malware-removal

POINT OF CONTACT

   Please contact PMAJ JUN-JUN S DAGURO, Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 8723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.