SpearPhish Leads to Cridex
I haven't seen a spear-phish campaign like this in awhile. This is a rather decent campaign as it contains the recipient's full name and address. While the email contains some grammar errors, I think this has the potential to fool a lot of people.
The email is purportedly sent from a company called "National Processing Company (NPC)" with the following email addresses (probably more):
The subject lines use different words to convey the same meaning, just like the email itself. It's like the spear-phishers used a thesaurus to find synonyms of key words. This was likely done in an attempt to evade spam filters and to give it a greater chance of landing in email in-boxes.
- Transaction #3434233928 will be cleared within the next 48 hours. Your account will be billed for $1443.93
- Transaction #9212303923 will be finished in the next 24 hours. Your card will be charged for $3043.35
- Transaction #8474541903 will be completed in the following 48 hours. Your bank account will be charged for $1965.93
This led to none other than Blackhole Exploit Kit which used a Java exploit to drop an executable called "calc.exe" which got copied to AppData with the "KB00151121.exe" filename. This binary is a banker Trojan called "Cridex".
VT: 3 / 42
Filename: calc.exe / KB00151121.exe
VT: 10 / 42
Cridex then pulled down its config/webinjects file over HTTPS. This file (279KB) looks like it has over 200 banks now including Blogger, Facebook, Flickr, LiveJournal, and Twitter.
A security researcher from M86 Security Labs (now Trustwave SpiderLabs) , Daniel Chechik, wrote an excellent article on his analysis of Cridex and covered all the bases. Go and check it out!
Posted on: 07/10/2012