Cridex Trojan actively spreading with IRS theme mails (November 2, 2012)

By

Dell SonicWALL Threats Research team discovered a new variant of info stealer Trojan in the wild that steals sensitive information from the users system. The malware arrives in the form of an email message claiming that your Income Tax refund appeal has been declined by IRS, the details of which can be found in the attached IRS letter.

A sample E-mail message from this campaign looks like below:

screenshot

The zip attachment in the E-mail contains the malware executable.

Infection cycle

The infection begins when the user opens the malicious file inside the zip attachment. The malware drops a copy of itself and modifies system registry to ensure that the dropped copy runs each time on system reboot. The dropped filename uses the format KB%08d.exe i.e. KB(8 Digit Number).exe. Another malicious file is dropped by the name of exp.tmp.exe, this file injects malicious code in explorer.exe.

Following are the malicious files dropped on the system:

  • C:Documents and SettingsOwnerApplication DataKB00654892.exe [Detected as GAV:Cridex.SRI_2(Trojan)]
  • C:Documents and SettingsOwnerLocal SettingsTempexp.tmp.exe [Detected as GAV: Kryptik.ALRY (Trojan)]

Following entry was aded to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “C:Documents and SettingsxxxxApplication DataKB00654892.exe”

The malware also drops a batch file as C:Documents and SettingsOwnerLocal SettingsTempexp.tmp.bat that checks and deletes the original file. The infected instance of explorer.exe was found to be connecting to a number of domains on port 8080:

  • rob.roboticwares.com
  • recipe.devrich.com
  • khtweb.sote.hu

We found a number of hardcoded C&C IP addresses in the executable:

  • 148.208.216.70:8080
  • 180.235.150.72:8080
  • 200.169.13.84:8080
  • 59.90.221.6:8080
  • 61.7.235.35:8080
  • 210.56.23.100:8080
  • 195.111.72.46:8080
  • 216.38.12.158:8080
  • 50.22.102.132:8080

The following encrypted communication was observed between the Trojan and the C&C server:

screenshot
A similar behavior was observed in a previous SonicALERT for eFax Spam.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cridex.SRI_2 (Trojan)
  • GAV: Kryptik.ALRY (Trojan)
  • Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.