Home / malware Win32/Cridex
First posted on 11 November 2011.
Source: SecurityHomeAliases :
Win32/Cridex is also known as PWS-Spyeye.de (McAfee).
Explanation :
Win32/Cridex is malware that may be delivered via spammed malware such as TrojanDownloader:Win32/Skidlo.A, or by other malicious code such as variants of Exploit:JS/Blacole. The malware could spread to removable drives, steal local certificates, capture online banking credential entered via web browsers, download and execute files, and search and upload local files.
Top
Win32/Cridex is malware that may be delivered via spammed malware such as TrojanDownloader:Win32/Skidlo.A, or by other malicious code such as variants of Exploit:JS/Blacole. The malware could spread to removable drives, steal local certificates, capture online banking credential entered via web browsers, download and execute files, and search and upload local files.
Installation
When run, Win32/Cridex drops a copy of the worm as a randomly named file as in one of the following examples:
- %USERPROFILE%\Application Data\kb<random numerals>.exe (i.e. "kb323934.exe")
- %USERPROFILE%\Application Data\<random hexadecimal string>.exe (i.e. "9f9d8315.exe")
The registry is modified to run the worm copy at each Windows start.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "random string" (i.e "9f9d8315")
With data: "Win32/Cridex file name" (i.e. "9f9d8315.exe")
Win32/Cridex launches the worm copy and deletes its dropper. Win32/Cridex injects itself into every running process and hooks the API "ZwResumeThread" to ensure it will load into each newly created process.
Spreads via...
Removable drives
Depending on its configuration, Win32/Cridex drops a copy of the worm to removable drives as a randomly named executable, in a randomly named folder, as in the following example:
- <drive:>\lnoqrz\bfnpyo.exe
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Communicates with a remote server
Win32/Cridex communicates via SSL with a remote server that is used for command and control of the malware. Win32/Cridex was observed to connect with one for the following domains for this purpose:
- muvinor.ru
- pecoran.ru
- evenconc.ru
- extorld.ru
- imbingdo.ru
- shushev.ru
Win32/Cridex could be instructed to perform any of the following actions:
- Export installed certificates and pack them into cabinet file
- Clean cookies for various software, e.g. Internet Explorer, Firefox, Adobe Flash
- Download and execute additional files
- Search and upload local files
- Upload collected certificates and credentials
- Retrieve configuration data and store it in the registry, e.g. HKCU\Software\Microsoft\Windows Media Center\<random hex string>\Default
Steals and shares financial logon details
Win32/Cridex hooks various network related APIs in the web browser process (e.g. "iexplorer.exe" and "firefox.exe") to monitor and redirect HTTP and HTTPS traffic and capture online banking credentials. This malware was observed to capture credentials for various online banking sites. Below is a short list and example of some of the websites targeted by the malware:
Captures logon credentials Win32/Cridex may capture logon information from websites such as the following:
- bankofamerica.com
- chaseonline.chase.com
- citibank.com
- cibng.ibanking-services.com
- ebanking-services.com
- ibanking-services.com
- bankonline.umpquabank.com
- nsbank.com
- comerica.com
- securentry.calbanktrust.com
- express.53.com
- homebank.nbg.gr
- online.ccbank.bg
- ebanking.eurobank.gr
- itreasury.regions.com
- wellsfargo.com
- www2.firstbanks.com
- Facebook.com
- Twitter.com
- Blogger.com
- Flickr.com
- Livejournal.com
Analysis by Shawn Wang
Last update 11 November 2011