Security News

Spam containing Cridex Banking Trojan on the rise (July 13,2012)

By

Dell SonicWALL Threats Research team observed a increase in spam themes containing a newer variant of the Cridex Banking Trojan. We observed two different spam themes serving this Trojan, one of which was purporting to be from United Postal Service with the invoice attached. The other theme was enticing the user to open a scandalous pictures in the attachment. The zipped attachments in these email contains a newer variant of the Cridex Banking Trojan. We have observed this Trojan being served through other spam themes in past as attachments as well as links containing exploit kits.

Sample of the spam themes used is shown below:
screenshot

The Trojan inside the zipped attachment looks like:
screenshot

The Cridex Trojan when executed performs the following activities:

  • It creates the following files:
    • %appdata%KB00052230.exe (Copy of itself) [Detected as GAV: Cridex.E (Trojan)]
    • %appdata%{RandomHex}{RandomHex} (Files that contain intercepted banking credentials)]
    • %temp%exp1E.tmp.bat (Bat executable File)

  • It creates the following registry keys:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:”%appdata%KB00052230.exe”
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS38C2CF0E (List of banks, injection scripts and configuration is stored in this key)

  • The bat file “%temp%exp1E.tmp.bat” contains directives to delete the original executable and itself:

    screenshot

  • It contacts one of the hardcoded C&C servers to report infection and download the configuration file:

    screenshot

  • It hooks various API’s for code injection and in order to intercept banking credentials:

    screenshot

  • A sample of the configuration file stored in the registry key is shown below:

    screenshot

  • A sample of captured data stored in “%appdata%{RandomHex}{RandomHex}” is shown below:

    screenshot

Geographical distribution of spam targets and C&C servers is shown below. It is evident from this data that users of banking institutions in the United States were primarily targetted.

screenshot

screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cridex.E (Trojan)
  • GAV: Banker.Q_5 (Trojan)
  • GAV: Banker.PST#email (Trojan)
  • GAV: Banker.PST#email_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Malicious Android apps continue to use the Covid theme to spread different types of malware
MS Media Player Memory Corruption (April 16, 2010)
Apache Solr vulnerabilities bound to be attacked
Fake Canada Post Spam campaign leads to Trojan (Jan 20, 2012)
Mongo-Lock Ransomware
XWiki RCE Vulnerability
Cyber Security News & Trends – 04-26-19
Adobe Type Confusion Vulnerability CVE-2016-1019 Exploited in the Wild