New Cridex Malware Uses Self-Spreading Infection Mechanism

New Version of Cridex Malware Combines Data Stealer and Email Worm

A new version of the data-stealing malware Cridex (Feodo/Bugat) has been found to rely on a worm in order to spread from one computer to another.

Researchers from threat protection firm Seculert analyzed the self-spreading infection system used by the Trojan dubbed “Geodo.” Once it infects a system, the threat downloads a second piece of malware, a worm, that starts communicating with a command and control (C&C) server from which it gets the information needed for the distribution process.

The C&C provides the worm with a list of 50,000 stolen Simple Mail Transfer Protocol (SMTP) account credentials, along with the details of the SMTP servers. The malware also receives email body text, email subject lines, “from” addresses, and a list of 20 email addresses to which messages are sent using the stolen SMTP credentials. After the malicious emails are sent to the batch of 20 addresses, the process is repeated for another 20 targets.

The campaign is focused on German-speaking countries, one of the emails analyzed by Seculert being designed to look like an invoice from the Sparkassen-Finanzgruppe (German Savings Bank Financial Group). The fake notifications carry a link to an archive file containing an executable disguised as a harmless PDF document. When the PDF file is opened, Geodo is downloaded onto the victim’s computer.

The source of the 50,000 SMTP credentials is unclear, but Seculert believes that the Geodo botnet has been used to obtain the information. Most of the compromised account credentials are from Germany (46%) and Poland (25%), but countries such as Austria, the United States, Hungary, Switzerland, the United Kingdom, Italy and the Netherlands are also on the list.

Seculert CTO Aviv Raff told SecurityWeek that the 50,000 stolen credentials suggests that there are at least 50,000 infections, but the actual number is probably much higher. The campaign is still active, Raff said.

First reports of Geodo came in June from the Swiss security blog Abuse.ch, which noted that fake Deutsche Telekom, Vodafone and O2 invoices designed to distribute the malware had been sent out since late May. Abuse.ch believes that this is a completely new threat that can be considered a direct successor of Cridex.

Raff confirmed to SecurityWeek that the Geodo code is new, but he highlighted that it uses the same C&C infrastructure as Cridex.

Abuse.ch = reported that Geodo is designed to help cybercriminals commit online banking fraud, just like Cridex, but Seculert warns that the threat could also be used to compromise an organization’s intellectual property.