W32.Cridex is a threat that adds the compromised computer to a botnet and injects itself into the victim’s web browser in order to steal information, including banking credentials.
The malware typically arrives through emails with malicious attachments. The threat can self-replicate by spreading to removable devices.
Once the threat executes, it opens a back door on the computer. The malware downloads additional files and adds the computer to a botnet. It is capable of logging keystrokes and capturing screenshots. It can also inject content into banking sites that the user visits, allowing the threat to steal any sensitive information that the victim inputs.
The threat is mainly distributed through emails with malicious attachments. It can also self-replicate by copying itself to mapped and removable drives.
The email usually includes a Microsoft Office attachment with malicious macros. The body of the email usually contains social engineering in an attempt to trick the user into opening the file.
The message typically claims that the attachment is an invoice or shipment notice. If the user opens the document, then they are prompted to enable Office macros, which are disabled by default. If the user does this, then the macro will execute, downloading and installing W32.Cridex on the computer.
W32.Cridex is capable of propagating by itself. After infecting a computer, the threat can spread by copying itself to network drives and attached local storage devices, such as USB keys. The malware runs any time a compromised drive is accessed.
When the threat is executed, it registers the compromised computer with one of Cridex’s botnets. The threat then communicates and receives commands with the bot controller over a peer-to-peer (P2P) network of infected computers. The P2P functionality was designed to make the threat more resilient to takedowns, as there’s no single central command-and-control (C&C) server that distributes orders.
The commands that are sent to an infected computer may instruct the malware to perform a variety of activities. The threat can open a back door on the computer, giving the attackers greater access to resources. It can download additional files or modules to further extend its capabilities.
The malware can also perform a variety of information-stealing activities, such as logging keystrokes and capturing screenshots. It can also inject itself into browser processes to monitor communications and steal information, such as passwords, cookies, and web form content.
If the threat detects that the user is visiting a specific banking website, it injects malicious code into the browser to display fraudulent web pages. This content mimics the appearance of a banking site’s login page or transaction section, so any information that the user inputs is sent to the attackers.
Symantec has observed the following geographic distribution of this threat:
Symantec has observed the following global Cridex infection trends between January and October 2015:
The following Symantec detections protect against this threat family.
Intrusion Prevention System
Symantec Messaging Gateway
’s Disarm technology also protects computers from this threat by removing the malicious content from the attached documents before they even reach the user. Email-filtering services such as Symantec Email Security.cloud
can help to filter out potential targeted attack emails before they can reach users.
For more information, please see the following resources:
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.