A newly-discovered malware plug-in for the Cridex Trojan has a database of 137 banks and financial institutions around the globe that are on the attackers’ menus, according to research from M86 Security.
The security firm posted findings a few weeks ago that cyber-criminals had compromised hundreds of WordPress-based sites. The attacks spread via emails with malicious links or HTML attachments leading to compromised sites infected with the Phoenix exploit kit.
“After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine,” blogged Daniel Chechik, a researcher with M86. “The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carperb and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.”
Once the Trojan finds a live proxy, it connects to the command and control server and downloads a customized configuration from the attackers, he explained. Currently, the cybercriminals are currently running multiple botnets with over 25,000 infected machines.
Cridex is of course one of many banking Trojans targeting users. Last week, researchers from Symantec shared information on a variant of the Zeus Trojan that uses peer-to-peer technology to communicate – negating, or at least reducing, the need for a central command-and-control server that can be targeted by security companies or researchers.
“This Trojan’s capability is basically similar to Zeus and SpyEye,” he blogged. “It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.”
“The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time,” he continued. “They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.”
Chechik did not name the specific banks being targeted.