Geodo: New Cridex Version Combines Data Stealer and Email Worm

by on | Leave a comment
Filed under Industry News, Research Lab and tagged , , , .


Recent efforts by our Research Lab have revealed new activity related to Cridex. As you may recall, Cridex is a data stealer also referred to as Feodo, and Bugat. The new Cridex version we are seeing now, aka Geodo, combines a self-spreading infection method–effectively turning each bot in the botnet into a vehicle for infecting new targets.

By analyzing a sample in our Elastic Sandbox (Figure 1), we have deduced that the malware progresses as follows:

  1. Geodo downloads additional piece of malware
  2. The new malware communicates with a C&C
  3. The downloaded malware sends email with link to download a zip file containing Geodo


Figure 1: Elastic Sandbox analysis results of the new Cridex version

Through further analysis of this attack, we were able to determine that the second piece of malware (the worm) is provided with approximately 50,000 stolen SMTP account credentials including the related SMTP servers to connect to. The bot then uses these credentials to target mostly Germany accounts by impersonating legitimate email.

country pie chart updated numbers

Figure 2: Stolen SMTPs Country of Origin

The C&C provides the malware with a batch of 20 targeted email addresses.The malware is also given a from address, subject line, and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails. And with each new batch of emails the C&C also sends a new from address, subject line, and body.


Figure 3: Process by which the downloaded malware spreads Geodo to infect new machines

The emails we have seen, written in German, contain a link prompting the recipient to download a zip file which contains an executable disguised as a PDF document. By opening the file, Geodo is installed on the newly infected endpoint, adding a new bot to the mix (Figure 4).


Figure 4: Actual email sent by Geodo

There is no definitive information on where the 50,000 stolen credentials came from, but Cridex is the suspected culprit. And as a data stealer, Geodo can compromise the intellectual property of a corporation, putting its business and reputation at risk. This new email worm capability displayed by Geodo serves to further emphasize the growing threat of advanced malware to today’s enterprises.

Contributors: Adi Raff and Shimon Zvirin





Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>