M86 Security Labs, an Irvine-Calif.-based secure web gateway solutions provider, announced that it has discovered a Cridex Trojan virus distributed through a Phoenix exploit kit that is targeting 137 financial organizations around the globe.
According to M86 researchers, the attacks started with several large spam campaigns by cyber criminals who had previously compromised hundreds of WordPress-based websites. The spam emails included embedded URL links or HTML attachments that trick the victim to browse those compromised websites, said M86. All these links eventually lead to web pages infected with the Phoenix exploit kit.
"After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim's machine," writes Daniel Chechik in a blog position the M86 website. "The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carperb and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it."
After the virus is downloaded, the cyber criminals can then track specific websites that are accessed by the user by taking screenshots of every page the user accessed in real time, writes Chechik.
According to M86, Cridex has a plug-in which includes a database of 137 banks. The control panel contains the structure of the banks' web pages, so the Trojan can identify which valuable fields to send back to the command and control server. Moreover, the cyber criminals can create and change forms that are normally completed by the victim, writes Chechik.