The Cridex trojan targets 137 financial organizations in one go

Jump to navigation Jump to search

(Publication) Google search: [1]

The Cridex trojan targets 137 financial organizations in one go
M86security cridex cnc.png
Botnet Cridex, ZeuS, SpyEye, Carberp
Malware Cridex (bot), Carberp (bot), Dapato
Botnet/malware group
Exploit kits Phoenix
Distribution vector
Operation/Working group
Date 2012 / March 1st, 2012
Editor/Conference M86 Security Labs
Link (Archive copy)
Author Daniel Chechik


A few weeks ago M86 Security Labs alerted that cybercriminals managed to compromise hundreds of WordPress-based sites. These attacks started with several large spam campaigns as reported in our most recent blog post on Cutwail. These emails included embedded URL links or HTML attachments that tricked the user to browse to the compromised Web sites. All these links eventually lead to Web pages infected with the Phoenix exploit kit. These cybercriminals operate Fast flux networks, which are a DNS technique used by botnets to hide the main C&C servers.

After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carberp and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR906,
   editor = {M86 Security Labs},
   author = {Daniel Chechik},
   title = {The Cridex trojan targets 137 financial organizations in one go},
   date = {01},
   month = Mar,
   year = {2012},
   howpublished = {\url{}},