SpearPhish Leads to Cridex

I haven't seen a spear-phish campaign like this in awhile. This is a rather decent campaign as it contains the recipient's full name and address. While the email contains some grammar errors, I think this has the potential to fool a lot of people.

The email is purportedly sent from a company called "National Processing Company (NPC)" with the following email addresses (probably more):

CustomerInfo@npc[.]net
SalesInfo@npc[.]net
SupportInfo@npc[.]net

The subject lines use different words to convey the same meaning, just like the email itself. It's like the spear-phishers used a thesaurus to find synonyms of key words. This was likely done in an attempt to evade spam filters and to give it a greater chance of landing in email in-boxes.

  • Transaction #3434233928 will be cleared within the next 48 hours. Your account will be billed for $1443.93
  • Transaction #9212303923 will be finished in the next 24 hours. Your card will be charged for $3043.35
  • Transaction #8474541903 will be completed in the following 48 hours. Your bank account will be charged for $1965.93

If the recipient clicks on the link, they are led to a webpage with the usual malicious Javascript redirect.

This led to none other than Blackhole Exploit Kit which used a Java exploit to drop an executable called "calc.exe" which got copied to AppData with the "KB00151121.exe" filename. This binary is a banker Trojan called "Cridex".

Filename: V.class
MD5: EDCB0D8443D790B0B58B540A2B094E5C
VT: 3 / 42

Filename: calc.exe / KB00151121.exe
MD5: B4790A09B20FD4DB9EAFB41284920E46
VT: 10 / 42

Cridex then pulled down its config/webinjects file over HTTPS. This file (279KB) looks like it has over 200 banks now including Blogger, Facebook, Flickr, LiveJournal, and Twitter.

A security researcher from M86 Security Labs (now Trustwave SpiderLabs) , Daniel Chechik, wrote an excellent article on his analysis of Cridex and covered all the bases. Go and check it out!

Posted on: 07/10/2012