Craigslist spam uses Blackhole Exploit to download Cridex Banking Trojan (June 8, 2012)


The Sonicwall UTM research team received reports a new large spam campaign that uses a fake Craigslist automated message that contains a malicious link. The URL inside the e-mail points to a malicious site hosting the blackhole exploit kit. The Blackhole exploit kit as we have seen in past is capable of serving multiple exploits that target Java, Adobe Reader, Adobe Flash player, Windows Media player etc. depending on the victim machine’s configuration. It first attempts to exploit CVE-2006-0003 and if successful downloads and runs Cridex Trojan. Users whose systems are not patched to cover this security hole need only launch the link in their browser to become infected.

The spammed email uses the following text which contains the malicious link:

The webpage contains a javascript function [Detected as GAV: Expack.PP (Exploit)] that contains encrypted code. The decrypted code contains the following shellcode exploit:

The shellcode decrypts a URL that hosts a variant of the Cridex banking Trojan. This Trojan has been covered in a previous sonicalert. It causes the browser to download and execute the Trojan executable:

The Trojan adds the following files to the filesystem:

  • %APPDATA%KB01217753.exe [Detected as GAV: Cridex.MLX (Trojan)]
  • %USERPROFILE%21d0fb5.exe (copy of KB01217753.exe) [Detected as GAV: Cridex.MLX (Trojan)]
  • %USERPROFILE%Local SettingsTempexp3E.tmp.bat

KB01217753.exe and 21d0fb5.exe use the following icons:

exp3E.tmp.bat contains the following text:

      @echo off
      del /F /Q /A "%USERPROFILE%21d0fb5.exe"
      if exist "%USERPROFILE%21d0fb5.exe" goto R
      del /F /Q /A "%USERPROFILE%Local SettingsTempexp3E.tmp.bat"

The Trojan adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “KB01217753.exe” “%AppData%KB01217753.exe”

The Trojan was observed posting sensitive encrypted system information to a remote server. The behavior of this Trojan is similar to the previous variant:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Cridex.MLX (Trojan)
  • GAV: Expack.PP (Exploit)
  • GAV: Blacole.GB (Exploit)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.