Craigslist spam uses Blackhole Exploit to download Cridex Banking Trojan

June 8, 2012

The Sonicwall UTM research team received reports a new large spam campaign that uses a fake Craigslist automated message that contains a malicious link. The URL inside the e-mail points to a malicious site hosting the blackhole exploit kit. The Blackhole exploit kit as we have seen in past is capable of serving multiple exploits that target Java, Adobe Reader, Adobe Flash player, Windows Media player etc. depending on the victim machine's configuration. It first attempts to exploit CVE-2006-0003 and if successful downloads and runs Cridex Trojan. Users whose systems are not patched to cover this security hole need only launch the link in their browser to become infected.

The spammed email uses the following text which contains the malicious link:

The webpage contains a javascript function [Detected as GAV: Expack.PP (Exploit)] that contains encrypted code. The decrypted code contains the following shellcode exploit:

The shellcode decrypts a URL that hosts a variant of the Cridex banking Trojan. This Trojan has been covered in a previous sonicalert. It causes the browser to download and execute the Trojan executable:

The Trojan adds the following files to the filesystem:

  • %APPDATA%KB01217753.exe [Detected as GAV: Cridex.MLX (Trojan)]
  • %USERPROFILE%21d0fb5.exe (copy of KB01217753.exe) [Detected as GAV: Cridex.MLX (Trojan)]
  • %USERPROFILE%Local SettingsTempexp3E.tmp.bat

KB01217753.exe and 21d0fb5.exe use the following icons:

exp3E.tmp.bat contains the following text:

      @echo off
      del /F /Q /A "%USERPROFILE%21d0fb5.exe"
      if exist "%USERPROFILE%21d0fb5.exe" goto R
      del /F /Q /A "%USERPROFILE%Local SettingsTempexp3E.tmp.bat"

The Trojan adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "KB01217753.exe" "%AppData%KB01217753.exe"

The Trojan was observed posting sensitive encrypted system information to a remote server. The behavior of this Trojan is similar to the previous variant:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Cridex.MLX (Trojan)
  • GAV: Expack.PP (Exploit)
  • GAV: Blacole.GB (Exploit)