Home / malwarePDF  

Win32/Cridex


First posted on 23 January 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Cridex.

Explanation :

Threat behavior

Installation
When run, Win32/Cridex installs a copy of itself as a randomly named file as in one of the following examples:

  • %USERPROFILE% \Application Data\kb.exe (i.e. "kb323934.exe")
  • %USERPROFILE% \Application Data\.exe (i.e. "9f9d8315.exe")


The registry is modified to run the worm copy at each Windows start.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "random string" (i.e "9f9d8315")
With data: "Win32/Cridex file name" (i.e. "9f9d8315.exe")

Win32/Cridex launches the worm copy and deletes its dropper. Win32/Cridex injects itself into every running process and hooks the API "ZwResumeThread" to ensure it will load into each newly created process.

Spreads via...

Removable drives

Win32/Cridex can create the following copies on removable drives, such as USB flash drives:

  • \lnoqrz\bfnpyo.exe


It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Steals and shares financial logon details

Win32/Cridex hooks various network related APIs in the web browser process (e.g. "iexplorer.exe" and "firefox.exe") to monitor and redirect HTTP and HTTPS traffic and capture online banking credentials. We have seen it steal credentials for a number of banking websites, including the following:

  • bankofamerica.com
  • chaseonline.chase.com
  • citibank.com
  • cibng.ibanking-services.com
  • ebanking-services.com
  • ibanking-services.com
  • bankonline.umpquabank.com
  • nsbank.com
  • comerica.com
  • securentry.calbanktrust.com
  • express.53.com
  • homebank.nbg.gr
  • online.ccbank.bg
  • ebanking.eurobank.gr
  • itreasury.regions.com
  • wellsfargo.com
  • www2.firstbanks.com
Captures logon credentials

Win32/Cridex may capture logon information from websites such as the following:
  • Facebook.com
  • Twitter.com
  • Blogger.com
  • Flickr.com
  • Livejournal.com


Communicates with a remote server

Win32/Cridex communicates via SSL with a remote server that is used for command and control of the malware. We have seen Win32/Cridex connect with the following domains:

  • evenconc.ru
  • extorld.ru
  • imbingdo.ru
  • muvinor.ru
  • pecoran.ru
  • shushev.ru


Win32/Cridex can be told to perform any of the following actions:

  • Export installed certificates and pack them into cabinet file
  • Clean cookies for various software, e.g. Internet Explorer, Firefox, Adobe Flash
  • Download and run other files
  • Search and upload local files
  • Upload collected certificates and credentials
  • Retrieve configuration data and store it in the registry, for example, HKCU\Software\Microsoft\Windows Media Center\\Default




Analysis by Shawn Wang

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    %USERPROFILE%\Application Data\kb.exe (i.e. "kb323934.exe")
    %USERPROFILE%\Application Data\.exe (i.e. "9f9d8315.exe")
  • You see this entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "random string" (i.e "9f9d8315")
    With data: "Win32/Cridex file name" (i.e. "9f9d8315.exe")

Last update 23 January 2014

 

TOP

Malware :