Vulnerabilities / Threats
7/1/2014
06:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Infamous Banking Malware Adds Email-Sending Feature

Cridex -- a.k.a. Feodo and Bugat -- now has a more streamlined and automated way of infecting victims and stealing their information.

A new version of an infamous banking worm comes with built-in stolen email account and server credentials for automatic email worm attacks to continue its spread.

The so-called Cridex data-stealing malware, a.k.a. Feodo and Bugat, now has a more streamlined and automated way of infecting victims, researchers at Seculert found. Once it's on a victim's machine, the new variant, dubbed Geodo by Seculert, downloads a second piece of malware that communicates with a command-and-control server. That second piece of malware is a worm that has 50,000 stolen SMTP email account credentials, including those of the associated SMTP servers.

Armed with those credentials, the malware sends out emails from legitimate accounts to other potential victims in an effort to continue its spread. Aviv Raff, CTO at Seculert, says this basically allows the infected bot to do the dirty work of infecting additional machines.

So far, the majority of the victims appear to be German speakers -- the emails are written mostly in German -- and 46% of the stolen credentials come from Germany.

"Usually we see additional malware they download from some other attacker that uses the same machine, or additional components that add some capabilities to the malware itself. This is the first time I've seen something that combines it," Raff says. "This downloads something that itself it sends to new victims. That's unique."

Seculert isn't sure from where the 50,000 stolen credentials were pilfered, but believes that the Cridex malware grabbed them. With the Geodo malware combination, a victim organization can also be at risk of its intellectual property being stolen, according to the firm.

Cridex traditionally had been known to spread via removable drives, but newer versions of the malware began arriving via Blackhole exploit kits, according to Trend Micro. There also are versions of the malware that use the domain generation algorithm (DGA) to keep its URLs moving targets from researchers and law enforcement.

Raff says the attackers don't appear to be a nation-state sponsored group, but they are out to steal as much information as they can from their victims. "The actual malware is doing everything… stealing browser session files, etc. They usually take everything and then sell" infected machines to other cybercriminals or nation-state spies.

Dell SecureWorks has also been watching the latest variant of the malware. "We have looked at the latest iteration -- we've been calling it Bugat v4 -- but haven't seen that particular plug-in downloaded yet. The malware has become more modular and there are different plugins delivered to different customers, so probably not all of them paid to get the spreader plugin," says Joe Stewart, director of malware research for Dell SecureWorks.

Stewart says the added email spreader and network sniffing are all things crimeware variants have used before. "It's really just another step in the evolution of this malware that closely follows development patterns we've witnessed in the past."

Technical details and screen shots of the attack are available here from Seculert.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.