Earlier this week, S21sec's Ecrime team detected what seems to be an evolution of one of the old variants -unrelated to Geodo- which has new and noteworthy features.
First of all, it uses a loader with limited functionality as the first infection step used to download the main trojan module in the form of a DLL using the following paths and injecting itself into explorer.exe as in earlier versions:
Trojan network communication is done through the typical 8080 although the path is a bit different from what we are used to:
Once the installation step is completed, the trojan downloads the configuration file which is just a gzip file with a fake header:
The config file uses the XML like format seen on previous versions which has the following structure:
- modules: Embedded new modules encoded in Base64:
- vnc_x32
- vnc_x64
- socks_x32
- socks_x64
- bot_x32
- bot_x64
- httpshots y clickshots: URL patterns for which the trojan must perform screenshots
- formgrabber: URL patterns used for form grabbing
- bconnect: Back Connect Server
- vncconnect: VNC Server
- redirects: External resources references used on injections
- httpinjects: Entity URL patterns with their corresponding injections
Affected entities seems to be mainly from UK, Ireland, United Arabian Emirates and Qatar, with some injections designed to bypass second authentication factor which, in combination with the VNC module, will allow the attacker to supplant the victim's online banking session.
So it seems that after some months of silence on Cridex world, a new old friend (dressed up for the ocassion) joins Geodo on its journey.
--
The MD5 signatures of the files analyzed by S21sec were:
- loader: 9d81ac7604ef2a0096537396a4a91193
- bot_x32: 04b55edf43a006f9c531287161fa2fa8
- vnc_x32: c73c3c18b74c67e88d5b3f4658016dcd
- vnc_x64: 5ecfc1d3274845bf5ff3f66ca255945e
- socks_x32: 53eb0e59b5bb574df5755527dc3d4f47
- socks_x64: 0dfc66eadbd9e88b2262ac848eadee8f
- bot_x64: 4df1cef98bbc174ba02f17d2ca6c0a58
