14 DAY TRIAL // Security researchers have discovered a new version of the Cridex malware that includes a self-replicating component and sends phishing emails based on a database of 50,000 stolen SMTP credentials.
Dubbed Geodo, the Cridex variant is as bad as the original when it comes to stealing information from an infected computer, and it exfiltrates sensitive data such as email credentials and banking details.
A blog post from Seculert CTO, Aviv Raff, says that the new strain basically turns “each bot in the botnet into a vehicle for infecting new targets.”
A sample was analyzed, and the researchers concluded that once Geodo infects a computer, it downloads another malicious file that communicates with the command and control server (C&C), which sends it a database with about “50,000 stolen SMTP account credentials including the related SMTP servers to connect to.”
The addresses are spammed with 20 legitimate-looking emails at a time, and the C&C provides a unique sender address, subject line and body text for each batch. This makes it possible for the cybercriminals to launch different phishing campaigns, which adds to a higher rate of success.
According to Seculert, the country of origin for the stolen SMTP credentials is Germany (46%). Additional evidence sustaining that the German citizens are targeted by the threat actors behind Geodo is the fact that the emails are written in German.
They contain a link that leads to downloading a ZIP archive with an executable masquerading as a PDF file; opening it installs Geodo on the computer and the perpetuating cycle is initiated.
Given that the threat is capable of stealing email credentials, the number of SMTP credentials can increase with new entries added from the botnet itself.
“There is no definitive information on where the 50,000 stolen credentials came from, but Cridex is the suspected culprit. And as a data stealer, Geodo can compromise the intellectual property of a corporation, putting its business and reputation at risk. This new email worm capability displayed by Geodo serves to further emphasize the growing threat of advanced malware to today’s enterprises.”
Cridex, also known under the names of Feodo and Bugat, has been designed to steal sensitive information, including personal details, online banking credentials, as well as login credentials for social networking websites.
It includes the capability to update itself and some samples rely on Domain Generation Algorithm (DGA) to constantly change the command and control addresses it connects to.