Cridex Trojan actively spreading with IRS theme mails

November 2, 2012

Dell SonicWALL Threats Research team discovered a new variant of info stealer Trojan in the wild that steals sensitive information from the users system. The malware arrives in the form of an email message claiming that your Income Tax refund appeal has been declined by IRS, the details of which can be found in the attached IRS letter.

A sample E-mail message from this campaign looks like below:

screenshot

The zip attachment in the E-mail contains the malware executable.

Infection cycle

The infection begins when the user opens the malicious file inside the zip attachment. The malware drops a copy of itself and modifies system registry to ensure that the dropped copy runs each time on system reboot. The dropped filename uses the format KB%08d.exe i.e. KB(8 Digit Number).exe. Another malicious file is dropped by the name of exp.tmp.exe, this file injects malicious code in explorer.exe.

Following are the malicious files dropped on the system:

  • C:Documents and SettingsOwnerApplication DataKB00654892.exe [Detected as GAV:Cridex.SRI_2(Trojan)]
  • C:Documents and SettingsOwnerLocal SettingsTempexp.tmp.exe [Detected as GAV: Kryptik.ALRY (Trojan)]

Following entry was aded to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "C:Documents and SettingsxxxxApplication DataKB00654892.exe"

The malware also drops a batch file as C:Documents and SettingsOwnerLocal SettingsTempexp.tmp.bat that checks and deletes the original file. The infected instance of explorer.exe was found to be connecting to a number of domains on port 8080:

  • rob.roboticwares.com
  • recipe.devrich.com
  • khtweb.sote.hu

We found a number of hardcoded C&C IP addresses in the executable:

  • 148.208.216.70:8080
  • 180.235.150.72:8080
  • 200.169.13.84:8080
  • 59.90.221.6:8080
  • 61.7.235.35:8080
  • 210.56.23.100:8080
  • 195.111.72.46:8080
  • 216.38.12.158:8080
  • 50.22.102.132:8080

The following encrypted communication was observed between the Trojan and the C&C server:

screenshot
A similar behavior was observed in a previous SonicALERT for eFax Spam.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cridex.SRI_2 (Trojan)
  • GAV: Kryptik.ALRY (Trojan)