A few weeks ago M86 Security Labs alerted that cybercriminals managed to compromise hundreds of WordPress-based sites. These attacks started with several large spam campaigns as reported in our most recent blog post on Cutwail. These emails included embedded URL links or HTML attachments that tricked the user to browse to the compromised Web sites. All these links eventually lead to Web pages infected with the Phoenix exploit kit. These cybercriminals operate Fast flux networks, which are a DNS technique used by botnets to hide the main C&C servers.
After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carperb and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.
VirusTotal scan of Cridex
Let’s take a look how this Trojan operates step by step.
Once the Cridex Trojan is loaded to the victims’ machine it executes several actions. First, it copies itself to drive C: as KB00447841.exe and creates the following files:
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT C:\Documents and Settings\Administrator\Application Data\KB00447841.exe |
The BAT file upon its execution removes the original malware downloaded by the Phoenix exploit kit.
In the second phase, the malware hooks into the “explorer.exe” process. Then it communicates with its C&C which is done over Fast flux networks to make it harder to identify and shut down their C&C servers. Every several hours one domain becomes unavailable and is replaced by another one. In some cases, the traffic flow of the Trojan can look like this:
Fiddler dump of the Trojan’s traffic activity
Cridex consistently tries to find a live proxy to reach the C&C server. At first glance the domain names look random. However, when taking a closer look, we see that the Trojan generates a new domain name before every attempt to access the C&C:
Ollydbg – Debugging of "Explorer.exe" infected by the Trojan
Here is a pseudo code of the Trojan’s code:
| ECX = ECX * 0x19660D ECX = ECX + 0x3C6EF35F ECX = ECX << 0×10 ECX = ECX – 0x7FFF EAX = ECX EDX = 0 EAX = EAX XOR 0×88 EBP = 0x1A EAX = EAX / 0x1A EDX = EAX % 0x1A ESI++ EDX = EDX + 0×61 Address[EBX + ESI] = DX If not reached the end of the domain name length continue |
Using this logical algorithm to generate and access domains, the cybercriminals can resume the attack even after their server(s) are offline for some period of time.
Once the Trojan finds a live proxy, it connects to the C&C server and downloads a customized configuration from the Cridex botnet. The cybercriminals are currently running multiple botnets with over 25,000 infected machines.
Cridex botnet control panel
This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.
The configuration panel of the Cridex Trojan
The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time. They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.
What’s new in the Cridex Trojan compared to Zeus or SpyEye?
Cridex has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks. Yes, one hundred, thirty seven different banks or financial organizations from all over the world!
Data collected by the "WORLD BANK CENTER" plug-in
This control panel provides simple user experience for the cybercriminals. It contains the structure of the banking organization’s Web site pages, so the Trojan can identify which valuable fields to send back to the C&C. Moreover, the cybercriminals can create and change forms that are normally completed by the victim.
Templates of "WORLD BANK CENTER" plug-in
In conclusion, the Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.
M86 MailMarshal Secure Email Gateway customers are protected against these blended threat spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix exploit kit and in particular against the Cridex Trojan.
Leave a reply
