We were alerted to reports of a mass compromise of WordPress sites that lead to CRIDEX infection. To lure users to these compromised sites, the cybercriminals behind this employed spammed messages purporting to come from known legitimate sources such Better Business Bureau and LinkedIn, just to name a few. These spam use social engineering tactics to entice unsuspecting users to click the link found in the email.
Based on our analysis, this exploit results to the installation of WORM_CRIDEX.IC on the affected system. When executed, this worm connects to a remote site http://{Random URL}.ru:8080/rwx/B2_9w3/in/ to download its configuration files.
WORM_CRIDEX.IC was also found to generate several random domains using domain generating algorithms (DGA). This is a well-known technique used by cybercriminals to evade law enforcement and to prevent botnets from being shut down. The malware also uses DGA to download its configuration file. As of this writing, the exact behavior of the sample is dependent on the configuration file. Based on static analysis, however, it is capable of executing a file, deleting a file/folder, and retrieving certificates in a certificate store. During our testing, we were unable to download the configuration file as this was no longer available.
Trend Micro protects users from this threat via its Trend MicroT Smart Protection NetworkT that blocks malicious URLs related to this attack as well as detecting the related malware. To avoid encountering these compromised sites, users should think twice before clicking those links found on dubious-looking messages. Always verify the validity of received messages, specially those that claim to be from well-known sources.
With additional text and analysis by security evangelist Ivan Macalintal.
Leave a reply
