1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W64.Cridex Activity

System Infected: W64.Cridex Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W64.Cridex malware activity on the infected machine.

Additional Information

The Trojan may arrive on the compromised computer after being downloaded by other threats.

When the Trojan is executed, it creates the following registry entry as binary data:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\[GUID]\ShellFolder\[NUMBER]=[ENCRYPTED BINARY DATA]

The Trojan opens a back door on on the compromised computer, and connects to one of the following locations:
109.73.172.178:8080
122.155.16.152:8080
95.110.172.148:8080
209.40.198.56:8080
211.9.49.99:8080
23.249.165.14:8080
85.214.136.28:8080
85.238.105.14:8080
93.184.46.220:8080

The Trojan may send and receive data (including configuration files) to and from the previously mentioned locations.

The Trojan may perform the following actions:
Take screenshots
Steal information entered in forms
Inject code into websites visited on the compromised computer
Download other module components
Log keystrokes

The Trojan targets the following browsers:
Chrome
Firefox
Internet Explorer

Affected

  • Various Windows platforms.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube