Initially distributed via removable drives, as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites, the threat is now delivered directly to users via their inboxes.
Swiss security expert Roman Hüssy has dubbed this new "version" of the malware Geodo, and says that it's not actually a variant of Feodo, but a successor built on completely different code but using the same botnet C&C infrastructure and distribution mechanism. As Feodo, it is also after e-banking credentials.
He has been tracking the threat since May, and says that it is delivered via fake e-invoices. After Geodo lands on a system, it downloads the worm, which communicates with a C&C and initiates the sending of the fake emails containing links to Geodo.
"Through further analysis of this attack, we were able to determine that the second piece of malware (the worm) is provided with approximately 50,000 stolen SMTP account credentials including the related SMTP servers to connect to. The bot then uses these credentials to target mostly Germany accounts by impersonating legitimate email," shared Seculert's Aviv Raff.
"The C&C provides the malware with a batch of 20 targeted email addresses. The malware is also given a from address, subject line, and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails. And with each new batch of emails the C&C also sends a new from address, subject line, and body."
The stolen SMTP credential come mostly from Germany (46%) and have likely been stolen by Geodo itself.