A newly-discovered malware plug-in for the Cridex Trojan has a database of 137 banks and financial institutions around the globe that are on the attackers’ menus, according to research from M86 Security.
The security firm posted findings a few weeks ago that cyber-criminals had compromised hundreds of WordPress-based sites. The attacks spread via emails with malicious links or HTML attachments leading to compromised sites infected with the Phoenix exploit kit.
“After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine,” blogged Daniel Chechik, a researcher with M86. “The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carperb and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.”
Once the Trojan finds a live proxy, it connects to the command and control server and downloads a customized configuration from the attackers, he explained. Currently, the cybercriminals are currently running multiple botnets with over 25,000 infected machines.
Cridex is of course one of many banking Trojans targeting users. Last week, researchers from Symantec shared information on a variant of the Zeus Trojan that uses peer-to-peer technology to communicate – negating, or at least reducing, the need for a central command-and-control server that can be targeted by security companies or researchers.
“This Trojan’s capability is basically similar to Zeus and SpyEye,” he blogged. “It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.”
“The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time,” he continued. “They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.”
Chechik did not name the specific banks being targeted.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
