Installation
When run, Win32/Cridex installs a copy of itself as a randomly named file as in one of the following examples:
-
%USERPROFILE%\Application Data\kb<random numerals>.exe (i.e. "
kb323934.exe")
-
%USERPROFILE%\Application Data\<random hexadecimal string>.exe (i.e. "
9f9d8315.exe")
The registry is modified to run the worm copy at each Windows start.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "random string" (i.e "9f9d8315")
With data: "Win32/Cridex file name" (i.e. "9f9d8315.exe")
Win32/Cridex launches the worm copy and deletes its dropper. Win32/Cridex injects itself into every running process and hooks the API "ZwResumeThread" to ensure it will load into each newly created process.
Spreads via...
Removable drives
Win32/Cridex can create the following copies on removable drives, such as USB flash drives:
- <drive:>\lnoqrz\bfnpyo.exe
It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
Payload
Steals and shares financial logon details
Win32/Cridex hooks various network related APIs in the web browser process (e.g. "iexplorer.exe" and "firefox.exe") to monitor and redirect HTTP and HTTPS traffic and capture online banking credentials. We have seen it steal credentials for a number of banking websites, including the following:
- bankofamerica.com
- chaseonline.chase.com
- citibank.com
- cibng.ibanking-services.com
- ebanking-services.com
- ibanking-services.com
- bankonline.umpquabank.com
- nsbank.com
- comerica.com
- securentry.calbanktrust.com
- express.53.com
- homebank.nbg.gr
- online.ccbank.bg
- ebanking.eurobank.gr
- itreasury.regions.com
- wellsfargo.com
- www2.firstbanks.com
Captures logon credentials
Win32/Cridex may capture logon information from websites such as the following:
-
Facebook.com
-
Twitter.com
-
Blogger.com
-
Flickr.com
-
Livejournal.com
Communicates with a remote server
Win32/Cridex communicates via SSL with a remote server that is used for command and control of the malware. We have seen Win32/Cridex connect with the following domains:
- evenconc.ru
- extorld.ru
- imbingdo.ru
- muvinor.ru
- pecoran.ru
- shushev.ru
Win32/Cridex can be told to perform any of the following actions:
- Export installed certificates and pack them into cabinet file
- Clean cookies for various software, e.g. Internet Explorer, Firefox, Adobe Flash
- Download and run other files
- Search and upload local files
- Upload collected certificates and credentials
- Retrieve configuration data and store it in the registry, for example, HKCU\Software\Microsoft\Windows Media Center\<random hex string>\Default
Analysis by Shawn Wang
