Spam containing Cridex Banking Trojan on the rise

July 13, 2012

Dell SonicWALL Threats Research team observed a increase in spam themes containing a newer variant of the Cridex Banking Trojan. We observed two different spam themes serving this Trojan, one of which was purporting to be from United Postal Service with the invoice attached. The other theme was enticing the user to open a scandalous pictures in the attachment. The zipped attachments in these email contains a newer variant of the Cridex Banking Trojan. We have observed this Trojan being served through other spam themes in past as attachments as well as links containing exploit kits.

Sample of the spam themes used is shown below:
screenshot

The Trojan inside the zipped attachment looks like:
screenshot

The Cridex Trojan when executed performs the following activities:

  • It creates the following files:
    • %appdata%KB00052230.exe (Copy of itself) [Detected as GAV: Cridex.E (Trojan)]
    • %appdata%{RandomHex}{RandomHex} (Files that contain intercepted banking credentials)]
    • %temp%exp1E.tmp.bat (Bat executable File)

  • It creates the following registry keys:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:"%appdata%KB00052230.exe"
    • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS38C2CF0E (List of banks, injection scripts and configuration is stored in this key)

  • The bat file "%temp%exp1E.tmp.bat" contains directives to delete the original executable and itself:

    screenshot

  • It contacts one of the hardcoded C&C servers to report infection and download the configuration file:

    screenshot

  • It hooks various API's for code injection and in order to intercept banking credentials:

    screenshot

  • A sample of the configuration file stored in the registry key is shown below:

    screenshot

  • A sample of captured data stored in "%appdata%{RandomHex}{RandomHex}" is shown below:

    screenshot

Geographical distribution of spam targets and C&C servers is shown below. It is evident from this data that users of banking institutions in the United States were primarily targetted.

screenshot

screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Cridex.E (Trojan)
  • GAV: Banker.Q_5 (Trojan)
  • GAV: Banker.PST#email (Trojan)
  • GAV: Banker.PST#email_2 (Trojan)