BKDR_CRIDEX.CHX

This backdoor is served via a spammed message that leads to a Blackhole Exploit Kit. It monitors the Internet Explorer address bar and title bar for strings that are related to certain banking websites.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %Application Data%\KB{random number}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following files:

• %User Temp%\exp{number}.tmp.bat - used to delete the initially executed copy. This file is deleted after execution

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

• %Application Data%\{random folder name}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\XME{8 random characters}
• Local\XMI{8 random characters}
• Local\XMM{8 random characters}
• Local\XMS{8 random characters}
• Local\XMF{8 random characters}
• Local\XMR{8 random characters}
• Local\XMQ{8 random characters}
• Local\XMB{8 random characters}

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%Application Data%\KB{random number}.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 1}

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 2}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 2}
Default = "{script containing bank-related strings}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Monitor browser cookies
• Download and execute arbitrary files
• Upload stolen information
• Download configuration files

It connects to the following websites to send and receive information:

• http://{BLOCKED}.{BLOCKED}.90.92:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.204.148:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.167.124:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.36.93:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.143.90:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.201.180:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.155.222:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.156.20:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.208.130:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.218.123:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.130.98:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.94.212:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.160.142:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.200.151:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.99.48:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.207.52:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.135.227:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.53.168:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.5.195:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.74.5:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.3.246:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.3.246:8080/jsbqmCA/hCpyb/Cnw/ED
• http://{BLOCKED}.{BLOCKED}.106.162:8080/jsbqmCA/hCpyb/Cnw/ED

Other Details

This backdoor deletes the initially executed copy of itself

NOTES:

This backdoor monitors browser activities of the affected system, specifically the address bar or title bar, using the following strings:

• \.com/k1/
• /ach/
• /authentication/zbf/k/
• /bb/logon/
• /cashman/
• /cashplus/
• ebanking-ch2\.ubs\.com
• /clkccm/
• /cmmain\.cfm
• nbad\.com
• postfinance\.ch
• abnamro\.nl
• rabobank\.nl
• anz\.com
• nab\.com\.au
• ing\.nl
• snsbank\.nl
• directnet\.com
• /cmserver/
• /cmwire
• achredirect\.aspx
• cbonline
• /ebc_ebc1961/
• /ibs\.
• /ibws/
• /icm/
• /icm2/
• /inets/
• /livewire/
• /loginolb/loginolb
• /netbnx/
• /olbb/
• /phcp
• /sbuser/
• /smallbiz/
• /wcmpw/
• /webcm/
• /wire/
• /wires/
• 2checkout\.com
• ablv\.com
• access\.jpmorgan\.com
• access\.usbank\.com
• accessbankplc\.com
• accountoverview\.aspx
• accurint\.com
• achieveaccess\.citizensbank\.com
• achpayment
• achweb\.unionbank\.com
• achworks\.com
• alltimetreasury\.pacificcapitalbank\.com
• alphabank\.com
• amegybank\.com/
• anb\.portalvault\.com
• atbonlinebusiness\.com
• auth\.umb\.com
• authmaster\.nationalcity\.com
• baltikums\.com
• baltikums\.eu
• banesco\.com\.pa
• bankbyweb
• bankfirst\.com
• banking\.calbanktrust\.com
• banking\.firsttennessee\.biz
• accurint\.com
• plainscapital\.gfxwebwire\.com
• sterlingpayment\.com
• rbsm\.com
• business\.swedbank\.lv
• secure\.accesshorizon\.com
• myonline\.bankbv\.com
• cencorpcu\.com/
• banknet\.lv
• bankofbermuda\.com
• bankofcyprus\.com
• bankonline\.sboff\.com
• bankonline\.umpquabank\.com
• bbo\.1stsource\.com
• bib\.lv
• billauth
• billmenu
• bizcurrency\.com
• blilk
• bmo\.com/
• bmoharrisprivatebankingonline\.com
• bmomutualfunds\.com
• bnycash\.bankofny\.com
• bob\-w\.
• bob\.sovereignbank\.com
• bolb\-east\.associatedbank\.com
• bolb\-west\.associatedbank\.com
• bolb\.
• boveda\.banamex\.com\.mx
• bscincky\.com
• business\.macu\.com
• business\.netbankerplus\.com
• business_solutions
• businessaccess\.citibank\.citigroup\.com
• businessappshome
• businessbanking\.cibc\.com
• businessclassonline\.compassbank\.com
• businesslogin
• businessmanager\.com
• businessonline
• businessportal\.mibank\.com
• butterfieldonline\.ky
• bxs\.com
• cashanalyzer\.com
• cashmanager\.mizuhoe\-treasurer\.com
• cashmgmt
• cashmgt
• cashproonline\.bankofamerica\.com
• bankofamerica\.com
• cashproweb\.com/cpwportal
• cbbusinessonline\.com
• cencorpcu\.com
• cfgbusinessaccess\.com
• checkgateway
• checkout\.com/va/login
• cib\.bankofthewest
• cibconline\.cibc\.com
• cimbanque\.net
• citizensbankmoneymanagergps\.com
• cmachm\.w
• cmbmnt\.w
• cmol\.bbt\.com/auth
• cmwirp\.w
• cnbsec1\.
• colb\.
• comerica\.com
• commercebusinessdirect\.com
• commercial\.wachovia\.com
• commercialservices
• connect\.bankcolonial\.com
• connect\.colonialbank\.com
• constitutioncorp\.org
• corpach
• corporate\.epfc\.com
• corporateaccounts
• corporatebankingweb
• corporateconnect\.net
• corpower\.coop
• createcorpwire
• createwire
• cu\.com
• cu\.org
• danskebanka\.lv
• db\-direct\.db\.com
• directline4biz\.com
• directnet\.com
• e\-moneyger
• e\-norvik\.lv
• easywebcpo\.td\.com/waw/idp
• ebanking\-services
• ebemo\.bemobank\.com
• ebill\.highmark\.com
• ecash\.
• ecm\-transfers\.unionbank\.com
• ecms\.unionbank\.com
• efirstbank\.com
• ekp\.lv
• enternetbank\.com
• enterprise2\.openbank\.com
• epd\.uscentral\.org
• eurobankefg\.com
• exact4web
• exness\.com
• express\.53\.com
• expressdeposit\.colonialbank\.com
• fbmedirect\.com
• ffinonline\.com
• ffrontier\.com
• firstbancorp\.com
• firstbanks\.com
• firstcitizens\.com
• fnfgbusinessonline\.enterprisebanker\.com
• fxpayments\.americanexpress\.com
• geonline\.lv
• global\-ebanking\.com
• global1\.onlinebank\.com
• globalink\.leumiusa\.com
• goldleaf
• guard\.scotiabank\.com
• handelsbanken\.lv
• hbcash\.exe
• hblibank\.com
• hbproxy\.exe
• hellenicnetbanking\.com
• hillsbank\.com
• hiponet\.lv
• hkbea
• hsbc\.com\.mx
• i\-linija\.lt
• ib\.dnb\.lv
• ibanking\-services\.com
• ibbpl2\.com
• ibbpowerlink\.com
• ibbusinessnet\.com
• ibcbankonline\.ibc\.com
• ifxmanager\.bankofny\.com
• ifxmanager\.bnymellon\.com
• inetbanker
• injectreceiver
• internationalbanking\.
• internationalpayments\.
• internet\-ebanking\.com
• internetbanker\.cc
• itinternet\.net
• itreasury\.amsouth\.com
• ktt\.key\.com
• lakelandbank\.com
• libertymutualbusinessdirect\.com
• lionbank\.com
• login_business\.asp
• logincm
• loyalbank\.com
• lv\.unicreditbanking\.net
• marfinbank\.com\.cy
• mbachexpress\.com
• mcb\-home\.com/online
• memberach
• metrobankdirect\.com
• midatlanticcorp\.org
• moneymanagergps\.com
• multinetbank\.eu
• my\.statestreet\.com
• mycorporate\.org
• myonlineservices\.cbolobank\.com
• nashvillecitizensbank\.com
• nationalcity\.com/consultnc
• nbarizona\.com/login_business\.jsp
• nbb\.controlsecure\.com
• ncms\-inc\.com
• netteller
• nfbconnect\.com
• northbaybancorp\.com
• northerntrust\.com
• norvik\.lv
• nsbank\.com
• ntrs\.com
• nubi
• olb\.
• olb\.ent\.com/business/
• online\-offshore\.lloydstsb\.com
• online\.1stnb\.com