2014-01-16

Cridex malware

Third party analysis:

The cridex malware is being spread across german speaking countries with a phishing emails traying to convince the receivers that there is a bill to pay - from vodafone, telecom, volkers bank.
So far I have seen these download places:
151.248.114.193 - RU active 192.240.96.11 - currently down, last seen 2014-01-15 212.7.219.75 - currently down 37.58.57.162 - currently down, last seen 2014-01-07 37.58.57.175 - currenlty down, last seen 2014-01-08 5.133.179.12 - GB active 5.254.96.215 - currenlty down, last seen 2014-01-17 5.254.96.216 - currently down 5.254.96.237 - RO active 5.254.96.238 - currently down, last seen 2014-01-16 5.254.96.239 - currenlty down, last seen 2014-01-15 5.39.47.13 - currenlty down, last seen 2014-01-15 62.4.8.133 - currenlty down, last seen 2014-01-13 64.15.75.70 - CA active 69.197.18.171 - OK ... this is blackhole 75.87.188.28 - currenlty down 85.158.241.184 - currenlty down, last seen 2014-01-10 85.158.241.33 - currenlty down, last seen 2014-01-15 92.53.104.167 - currenlty down, last seen 2014-01-09 Examples: 2014-01-20 14:59 http://serverrequiestcont.ru/volksbank_eg/ active 151.248.114.193 RU 2014-01-20 14:58 http://alishkasuper.ru/telekom_deutschland/ active 151.248.114.193 RU 2014-01-20 14:58 http://frtyui.ru/vodafone_online/ active 151.248.114.193 RU 2014-01-20 14:57 http://markelooo.ru/volksbank_eg/ active 151.248.114.193 RU 2014-01-20 14:53 http://frtyui.ru/vodafone_online/ active 151.248.114.193 RU 2014-01-20 14:40 http://gerbercvt.ru/volksbank_eg/ active 151.248.114.193 RU 2014-01-20 03:00 http://upddezember.com/telekom/ active 5.133.179.12 GB 2014-01-20 02:57 http://lopper.ru/vodafone_online/ active 151.248.114.193 RU 2014-01-16 18:21 http://basanaj.ru/telekom/ active 5.254.96.215 RO 2014-01-16 18:23 http://gorbache.ru/vodafone_online/ active 64.15.75.70 CA 2014-01-16 18:28 http://opa-oba.ru/vodafone_online/ active 64.15.75.70 CA ... + many other domain names 2014-01-16 18:33 http://upddezember.com/telekom/ active 5.133.179.12 GB http://pososh.ru/vodafon/ 2014-01-16 09:18 http://byuhera.ru/volksbank/ active 5.254.96.238 ... + many oyther domains 2014-01-15 19:31 http://5g4xte.vol.com.br/vodafon/ active 5.39.47.13 FR

Once the malware is executed it stores itself with a name that mimics the MS updates.

Then it starts dowloading secondary malware. In cases I have analyzed it was from:
SITE IP Code Last active beliyvolkalak.ru 185.10.201.168 GB 20140113 buriymishka.ru 185.10.201.186 GB 20140110 deepandtouch.ru 31.215.205.193 RO 20140113 djubkafriend.ru - glebstark.ru 185.5.55.9 LT 20140116 godaddy-up.ru 185.5.55.9 LT 20140116 gossldirect.ru - jvrdwnload.ru 212.7.219.46 PL 20140116 jarovojfanatik.ru - kapikapifrmaleku.ru - karabarad.ru - karadubecc.ru - kolodavoloda.ru - korenlipi.ru kuchereneltd.ru 94.76.240.56 UK 20140116 lightham.ru - masterupdate.ru - micrupdaserv.ru - montierco.ru - officialpartkkk.ru - pianiykrolik.ru - portasible.ru 37.235.48.69 PL 20140116 renataltd.ru 5.135.71.226 FR 20140116 securesrvr8.ru - softsysdnl.ru - ssshsecur.ru 185.10.201.168 GB 20140113 toolsdownloads17.ru - travodoktor.ru - updatecheck.co.ua - updote-serv3.ru 91.230.204.132 PL 20131217 uppdate-servs.ru 91.230.204.229 PL 20131217 upper-service.ru - volodakoloda.ru -

Based on the strings templates contained in the malware we can assume that it can steal passwords to FTP, POP3 and certificates, data from Internet Explorer, data from FireFox, . : application/x-www-form-urlencoded <http time="%%%uu"><url><![CDATA[%%.%us]]></url><useragent><![CDATA[%%.%us]]></useragent><data><![CDATA[ ]]></data></http> <httpshot time="%%%uu"><url><![CDATA[%%.%us]]></url><data><![CDATA[ ]]></data></httpshot> <ftp time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[ ]]></pass></ftp> <pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[ ]]></pass></pop3> <cmd id="%u">%u</cmd> <cert time="%u"><pass><![CDATA[ ]]></pass><data><![CDATA[ ]]></data></cert> <ie time="%u"><data><![CDATA[ ]]></data></ie> <ff time="%u"><data><![CDATA[ ]]></data></ff> <mm time="%u"><data><![CDATA[ ]]></data></mm> <message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"><header><unique>%%.%us</unique><version>%%u</version><system>%%u</system><network>%%u</network></header><data> MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqc9owreYFWWw7dWyebIKAxYwYx+V6bdlMGyN35YV/AM6ziObAkkVHtrvZFziejahX+ctQFmjy+vClz4nZubNU8dZlK/tBUcHbax/yr2ZdzjzimhvWvsNdA3YG6DTqb30GfOjcXwOHPPIycn1iYSjg1igdbg3a9mXklAouWzaD6wIDAQAB </data></message>

8 comments:

  1. http://software.sonicwall.com/applications/gav/index.asp?ev=v&v_id=29420

    ReplyDelete
  2. http://totalhash.com/search/dnsrr:kolodavoloda.ru

    ReplyDelete
  3. http://blogs.cisco.com/security/fake-phone-bills-contain-malware-targeting-dt-customers/

    ReplyDelete
  4. http://x1a0ran.blog.com/2013/01/04/malware-analysis-worm-cridex-1/

    ReplyDelete
  5. http://www.virusbtn.com/virusbulletin/archive/2012/10/vb201210-Cridex.dkb?mobile_on=no

    ReplyDelete
  6. http://malwaremustdie.blogspot.com/2013/01/cridex-fareit-infection-analysis.html

    ReplyDelete
  7. http://malwaremustdie.blogspot.com/2012/12/get-more-personal-deeper-into-cridex.html

    ReplyDelete
  8. http://blog.check-and-secure.com/virenwarnung-deutsche-post-dhl-sendungsverfolgung-220268857055/

    ReplyDelete