14 DAY TRIAL // Security researchers have found a new strain of the Cridex banking malware, one that relies on HTML injections very similar to Gameover Zeus (GOZ), making it more sophisticated and efficient.
Cridex, also known as Bugat, Feodo, and Geodo, does not rely on a peer-to-peer (P2P) infrastructure for communicating with the command and control servers and it mostly serves the malicious purpose of stealing online banking credentials.
Malware researchers at IBM X-Force, who identify the malware as Bugat, have analyzed the new samples of the malware and determined that “the HTML injections used are very similar — and in some cases identical — to GOZ.”
One reason behind this improvement of the malware could be that the operators of Cridex have reverse-engineered a sample of GOZ and copied the HTML injections, adapting them for their crime tool.
Etay Maor, a senior fraud prevention strategist at IBM’s security arm, Trusteer, also speculates that a member of the GOZ group could have made the move to the Cridex team and spilled the details; however, he points out that this would be less likely to happen because the two groups are competitors.
According to the researchers, the new capabilities available in Cridex allow it to overcome security measures such as two-factor authentication or IP reputation.
After infecting the computer, Cridex waits for the user to access one of the targeted banks. When this happens, it automatically redirects users to a fake website impersonating the one from the bank and allows the victim to enter the log in credentials.
In real-time, the malware establishes a connection with the bank and signs in, from the infected computer’s IP address; this way, the bank is not alerted in any way of the fraudulent operation because no malicious address is used, thus defeating any IP reputation security measure that could be enforced.
Two-factor authentication log in protection is also defeated, in the same way used for capturing the log in credentials.
A user trying to connect to their account actually never sees the real page for logging into their online banking account. All the pages they’re served are fake and controlled by the crooks; they are designed to collect the necessary banking details for accessing their account and initiating money transfers.
Researchers have observed the new variants to spread in the United Kingdom and the Middle East.
Efforts to disrupt the Gameover Zeus botnet have been made by law enforcement agencies and numerous private companies in a joint international operation; and some botnets have been disrupted.
However, despite the Department of Justice’s initial success, there is evidence that new versions of the malware are currently being distributed for rebuilding the bot army.