A knockoff of the Cridex banking Trojan has surfaced with an appetite for more than online banking credentials.
Seculert has called this one Geodo—a take on another of Cridex’s many aliases Feodo—and has confirmed that the malware comes with an efficient self-replicating feature borne of stolen SMTP credentials from compromised computer in the Cridex botnet. Geodo is a classic data-exfiltration Trojan that swipes everything from system information, to email credentials, banking log-ins and much more.
“It goes after any type of information. It gathers your browser session or they can ask it to steal files; it’s a regular crimeware piece,” said Seculert CTO Aviv Raff. “The interesting part is that this is just one group using the malware. It’s not part of a kit, but one group and now they’ve added a new way of spreading.”
Confined mostly to Western European targets—Germans in particular—Geodo has a striking new feature where it can turn any bot under the hackers’ control into a vehicle for infecting new targets, Raff said.
Once a bot is compromised by Geodo, the malware downloads an email worm that opens a backdoor channel to a command and control server which sends the bot a list of 50,000 stolen SMTP account credentials which are spammed out 20 at a time. Once the credentials have been sent, the emails are composed with a chosen sender address, subject line and body unique to a particular campaign, Raff said. Every hour, a new batch of 20 emails is sent, in addition to new sender addresses, subject lines and body text, and the cycle starts over again.
“Usually [criminals] are using other services to propagate. We saw the Cutwail botnet add spam as part of what it does,” Raff said. “We’ve never seen someone use their own thing as part of propagation, and definitely not with this amount of stolen SMTP credentials. We do see the number of stolen credentials growing and we believe that’s because those credentials are coming from the botnet itself.”
Geodo—past variants were also known as Bugat—is targeting victims from Germany, Austria, Hungary and the United States, primarily, Raff said. The emails are similar in nature, notifying someone of an invoice, shipment, or request for payment. They also include a link to download a zip file containing the malware disguised as a PDF.
Geodo also has a broader reach than traditional banking malware, sucking up everything it can.
“Instead of just targeting one specific industry or company, they seem to use sort of an opportunistic mass infection and try to gather as much information as they can so they can look within stolen data and identify specific companies, or sell it to someone with an interest,” Raff said. “It is criminal activity, but they seem to steal everything.”
This is indicative of a growing trend of cybercrime tools being used to gather information that later can be used for industrial espionage or even selling out activists to nation states interested in their movements.
“It’s about more than just grabbing everything,” Raff said. “We see sometimes attackers who usually are supposed to be targeted, using mass-spreading malware and want to stay under the radar in terms of attribution. Instead of using custom made sophisticated malware, the use something more with a criminal motive in order to be falsely attributed, which might be case here as well.”