Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Cridex Malware Uses Self-Spreading Infection Mechanism

New Version of Cridex Malware Combines Data Stealer and Email Worm

A new version of the data-stealing malware Cridex (Feodo/Bugat) has been found to rely on a worm in order to spread from one computer to another.

New Version of Cridex Malware Combines Data Stealer and Email Worm

A new version of the data-stealing malware Cridex (Feodo/Bugat) has been found to rely on a worm in order to spread from one computer to another.

Researchers from threat protection firm Seculert analyzed the self-spreading infection system used by the Trojan dubbed “Geodo.” Once it infects a system, the threat downloads a second piece of malware, a worm, that starts communicating with a command and control (C&C) server from which it gets the information needed for the distribution process.

The C&C provides the worm with a list of 50,000 stolen Simple Mail Transfer Protocol (SMTP) account credentials, along with the details of the SMTP servers. The malware also receives email body text, email subject lines, “from” addresses, and a list of 20 email addresses to which messages are sent using the stolen SMTP credentials. After the malicious emails are sent to the batch of 20 addresses, the process is repeated for another 20 targets.

The campaign is focused on German-speaking countries, one of the emails analyzed by Seculert being designed to look like an invoice from the Sparkassen-Finanzgruppe (German Savings Bank Financial Group). The fake notifications carry a link to an archive file containing an executable disguised as a harmless PDF document. When the PDF file is opened, Geodo is downloaded onto the victim’s computer.

The source of the 50,000 SMTP credentials is unclear, but Seculert believes that the Geodo botnet has been used to obtain the information. Most of the compromised account credentials are from Germany (46%) and Poland (25%), but countries such as Austria, the United States, Hungary, Switzerland, the United Kingdom, Italy and the Netherlands are also on the list.

Seculert CTO Aviv Raff told SecurityWeek that the 50,000 stolen credentials suggests that there are at least 50,000 infections, but the actual number is probably much higher. The campaign is still active, Raff said.

First reports of Geodo came in June from the Swiss security blog Abuse.ch, which noted that fake Deutsche Telekom, Vodafone and O2 invoices designed to distribute the malware had been sent out since late May. Abuse.ch believes that this is a completely new threat that can be considered a direct successor of Cridex.

Raff confirmed to SecurityWeek that the Geodo code is new, but he highlighted that it uses the same C&C infrastructure as Cridex.

Abuse.ch = reported that Geodo is designed to help cybercriminals commit online banking fraud, just like Cridex, but Seculert warns that the threat could also be used to compromise an organization’s intellectual property.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.