DDI RULE 547

CRIDEX is a banking worm that targets banks from around the world. Earlier versions are able to propagate via removable drives. However, newer versions no longer have this capability to spread by itself. Some of the newer versions are downloaded via blackhole exploit kits. It monitors login pages and cookies, and steals credentials. CRIDEX may also download and execute other malware. It accesses numerous URLs to download files or update itself. Some CRIDEX samples employ Domain Generation Algorithm (DGA), making the URLs it accesses change over time.

Attack Phase: Command and Control Communication

Protocol: HTTP

Risk Type: MALWARE

Threat Type: Malicious Behavior

Confidence Level: High

Severity: High(Outbound)

DDI Default Rule Status: Enable

Event Class: Callback

Event Sub Class: Bot

Behavior Indicator: Callback

APT Related: NO