Geodo infostealer gets help from worm
Posted on 01.07.2014
The distribution potential of the infamous Cridex infostealer (also known as Feodo or Bugat) just went up a notch, as a new version of the malware works in conjunction with a worm that sends out emails with a link to download a zip file containing the trojan.


Initially distributed via removable drives, as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites, the threat is now delivered directly to users via their inboxes.

Swiss security expert Roman Hüssy has dubbed this new "version" of the malware Geodo, and says that it's not actually a variant of Feodo, but a successor built on completely different code but using the same botnet C&C infrastructure and distribution mechanism. As Feodo, it is also after e-banking credentials.

He has been tracking the threat since May, and says that it is delivered via fake e-invoices. After Geodo lands on a system, it downloads the worm, which communicates with a C&C and initiates the sending of the fake emails containing links to Geodo.

"Through further analysis of this attack, we were able to determine that the second piece of malware (the worm) is provided with approximately 50,000 stolen SMTP account credentials including the related SMTP servers to connect to. The bot then uses these credentials to target mostly Germany accounts by impersonating legitimate email," shared Seculert's Aviv Raff.

"The C&C provides the malware with a batch of 20 targeted email addresses. The malware is also given a from address, subject line, and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails. And with each new batch of emails the C&C also sends a new from address, subject line, and body."

The stolen SMTP credential come mostly from Germany (46%) and have likely been stolen by Geodo itself.









Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //