Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Cridex Malware Uses Self-Spreading Infection Mechanism

New Version of Cridex Malware Combines Data Stealer and Email Worm

A new version of the data-stealing malware Cridex (Feodo/Bugat) has been found to rely on a worm in order to spread from one computer to another.

New Version of Cridex Malware Combines Data Stealer and Email Worm

A new version of the data-stealing malware Cridex (Feodo/Bugat) has been found to rely on a worm in order to spread from one computer to another.

Researchers from threat protection firm Seculert analyzed the self-spreading infection system used by the Trojan dubbed “Geodo.” Once it infects a system, the threat downloads a second piece of malware, a worm, that starts communicating with a command and control (C&C) server from which it gets the information needed for the distribution process.

The C&C provides the worm with a list of 50,000 stolen Simple Mail Transfer Protocol (SMTP) account credentials, along with the details of the SMTP servers. The malware also receives email body text, email subject lines, “from” addresses, and a list of 20 email addresses to which messages are sent using the stolen SMTP credentials. After the malicious emails are sent to the batch of 20 addresses, the process is repeated for another 20 targets.

The campaign is focused on German-speaking countries, one of the emails analyzed by Seculert being designed to look like an invoice from the Sparkassen-Finanzgruppe (German Savings Bank Financial Group). The fake notifications carry a link to an archive file containing an executable disguised as a harmless PDF document. When the PDF file is opened, Geodo is downloaded onto the victim’s computer.

The source of the 50,000 SMTP credentials is unclear, but Seculert believes that the Geodo botnet has been used to obtain the information. Most of the compromised account credentials are from Germany (46%) and Poland (25%), but countries such as Austria, the United States, Hungary, Switzerland, the United Kingdom, Italy and the Netherlands are also on the list.

Seculert CTO Aviv Raff told SecurityWeek that the 50,000 stolen credentials suggests that there are at least 50,000 infections, but the actual number is probably much higher. The campaign is still active, Raff said.

First reports of Geodo came in June from the Swiss security blog Abuse.ch, which noted that fake Deutsche Telekom, Vodafone and O2 invoices designed to distribute the malware had been sent out since late May. Abuse.ch believes that this is a completely new threat that can be considered a direct successor of Cridex.

Advertisement. Scroll to continue reading.

Raff confirmed to SecurityWeek that the Geodo code is new, but he highlighted that it uses the same C&C infrastructure as Cridex.

Abuse.ch = reported that Geodo is designed to help cybercriminals commit online banking fraud, just like Cridex, but Seculert warns that the threat could also be used to compromise an organization’s intellectual property.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.