In recent weeks G Data SecurityLabs has been observing a widespread spam campaign that is mainly targeting German Internet users. In two major waves so far, the names of four globally renowned companies have been misused as decoys to infect users with the Cridex banking Trojan. The attackers are currently disguising their attacks as invoices from Telekom, Vodafone or NTTCable, or as security and transaction notices from Volksbank.
The first wave was observed between 17 December 2013 and 20 December 2013. The second wave began on 6 January 2014 and is still active, interrupted only by the recent weekend – it seems as if the attackers are conducting their business like normal workers.
From the start of this week alone (13 January), G Data has recorded more than 1,100 new websites allocated to the four campaigns. There are currently six different URL schemes that are used – two with respect to the Telekom, two matching Volksbank and one each for the remaining two companies.
The G Data SecurityLabs statistics show a concentration on the Telekom campaign in the last few days – a bit more than 49% of the mentioned infected URLs belonged to this. Malicious websites in Volksbank bait-mail represented slightly more than 28% and rank three is taken by NTTCable with almost 12%.
All four companies are well-known, and many email recipients initially regard the emails as trustworthy. However, a link to a malicious website is embedded in the well-designed fake invoices and notification emails:>
If the user clicks on the link, a .zip file is first automatically loaded onto his computer. The attackers have deposited malware from the Cridex family in this archive as an executable file. As soon as the user opens the .exe file, the banking Trojan infects the PC.
According to the latest information, the malicious files are stored on servers in Romania, Russia, Britain and the USA. The attackers keep storing new variants of the malware, to prevent extensive detection by AV products as far as possible.
However, the various G Data protection technologies hold the malware in check – foremost among these is of course the G Data BankGuard technology, which can be found in the current end user products, for example. BankGuard detections of Cridex have reached a new high in recent weeks. The Trojan was first detected in 2011, but has only been exhibiting significant levels of activity since April 2013 (see G Data Malware Report H1 2013). However, in the recent past it has been causing more of a furore even than the established banking Trojan ZeuS and all its clones, such as Citadel and Gameover:
In this latest example, it is clear that sending spam as an initial attack vector is still far from unfashionable. The attackers have gone to great pains to generate different versions of the fraudulent emails and make them look deceptively realistic. Only a few errors betray the fact that these are fakes.
With a sophisticated payload such as Cridex, cyber attackers are able to plunder on various levels – for example intercepting transactions, stealing personal data and selling it on, installing new malware, sending spam and more.