New Feodo variant follows Geodo steps

Cridex (aka Feodo/Bugat) activity reached its zenith towards the end of 2013 and early 2014 in which it almost disappeared until it returned again in June reincarnated as what the guys at baptized as Geodo.

Earlier this week, S21sec’s Ecrime team detected what seems to be an evolution of one of the old variants -unrelated to Geodo- which has new and noteworthy features.

First of all, it uses a loader with limited functionality as the first infection step used to download the main trojan module in the form of a DLL using the following paths and injecting itself into explorer.exe as in earlier versions:

Trojan network communication is done through the typical 8080 although the path is a bit different from what we are used to:

Once the installation step is completed, the trojan downloads the configuration file which is just a gzip file with a fake header:

The config file uses the XML like format seen on previous versions which has the following structure:

  • modules: Embedded new modules encoded in Base64:
    • vnc_x32
    • vnc_x64
    • socks_x32
    • socks_x64
    • bot_x32
    • bot_x64
  • httpshots y clickshots: URL patterns for which the trojan must perform screenshots
  • formgrabber: URL patterns used for form grabbing
  • bconnect: Back Connect Server
  • vncconnect: VNC Server
  • redirects: External resources references used on injections
  • httpinjects: Entity URL patterns with their corresponding injections

Affected entities seems to be mainly from UK, Ireland, United Arabian Emirates and Qatar, with some injections designed to bypass second authentication factor which, in combination with the VNC module, will allow the attacker to supplant the victim’s online banking session.

So it seems that after some months of silence on Cridex world, a new old friend (dressed up for the ocassion) joins Geodo on its journey.

Santiago Vicente
S21sec Ecrime
Follow us on Twitter: @smvicente, @S21sec, @S21secSecurity

The MD5 signatures of the files analyzed by S21sec were:

  • loader: 9d81ac7604ef2a0096537396a4a91193
  • bot_x32: 04b55edf43a006f9c531287161fa2fa8
  • vnc_x32: c73c3c18b74c67e88d5b3f4658016dcd

Other hashes for the rest of the modules are:

  • vnc_x64: 5ecfc1d3274845bf5ff3f66ca255945e
  • socks_x32: 53eb0e59b5bb574df5755527dc3d4f47
  • socks_x64: 0dfc66eadbd9e88b2262ac848eadee8f
  • bot_x64: 4df1cef98bbc174ba02f17d2ca6c0a58

    Deja un comentario