Contributor: Lionel Payet
Last week we saw how W32.Waledac was getting cozy with W32.Virut, but let us not forget about other spam botnets, like Trojan.Pandex (a.k.a. Cutwail), as they also persist in their propagation affairs.
The people behind W32.Cridex have used many attack vectors to spread the malware, including taking advantage of exploit kits like Blackhole, or attempting to deceive users with crafted PDF documents. This month they have managed to compose a more elaborate attack.
The attackers have managed to host a malicious HTML file at a legitimate web site, which has been compromised. This file would then redirect the user to a Blackhole exploit kit, which would deliver W32.Cridex to the compromised computer. But how did they attempt to deceive the user? By renting a botnet.
The Pandex botnet, also known as Cutwail and Pushdo, is not a new threat: it has been in the wild for more than six years and is responsible for roughly 18 percent of the spam emails detected by Symantec per day, worldwide. It not only sends spam, it is able to collect email addresses from compromised computers which can then be used in future campaigns. Symantec has several detections for the threat:
Using our telemetry systems, we can estimate the following distribution of the threat:
Figure 1. Heatmap illustrating the distribution of the Trojan.Pandex spam
W32.Cridex attack vector
The following image illustrates how W32.Cridex may arrive on a compromised computer.
Figure 2. W32.Cridex attack steps
Computers that were infected with Trojan.Pandex sent emails like the following:
Figure 3. Sample Trojan.Pandex email
If the user follows the link, a malicious HTML file hosted at judiciary.go.ke is then accessed, which would redirect the user to the following malicious URL:
- dfudont.ru:8080/[REMOVED]/column.php
The domain resolves to the following locations:
- 212.112.[REMOVED] (Germany)
- 89.111.[REMOVED] (Russian Federation)
- 91.224.[REMOVED] (Lithuania)
Symantec has a number of IPS detections for the BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:
- Web Attack: Blackhole Exploit Kit Website 8
- Web Attack: Blackhole Exploit Kit
- Web Attack: Blackhole Functions
- Web Attack: Blackhole Toolkit Website 20
- Web Attack: Blackhole Toolkit Website 31
The following heatmap illustrates the distribution for the above detections:
Figure 4. Heatmap distribution for IPS detections associated with Blackhole exploit kit
If the Blackhole exploit is successful, W32.Cridex is then downloaded onto the compromised computer. Symantec has the following detections in place:
The worm then communicates with its command-and-control (C&C) servers, enabling the C&C servers to download, upload, and execute files on the compromised computer, potentially exposing the user to even more malware.
At the time of analysis, the C&C servers being used included:
- 140.123.[REMOVED]:8080
- 182.237.[REMOVED]:8080
- 220.86.[REMOVED]:8080
- 221.143.[REMOVED]:8080
- 64.85.[REMOVED]:8080
- 163.23.[REMOVED]:8080
- 210.56.[REMOVED]:8080
- 173.245.[REMOVED]:8080
- 173.201.[REMOVED]:8080
- 203.217.[REMOVED]:8080
- 97.74.[REMOVED]:8080
- 62.28.[REMOVED]:8080
- 69.64.[REMOVED]:8080
- 38.99.[REMOVED]:8080
- 174.142.[REMOVED]:8080
- 78.28.[REMOVED]:8080
- 88.119.[REMOVED]:8080
- 188.117.[REMOVED]:8080
- 217.65.[REMOVED]:8080
- 188.165.[REMOVED]:8080
After our analysis, we can confirm the findings of our colleagues from Dynamoo and that the compromised server has been notified and the malicious file removed.
We advise users to ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email.