Win32/Crydex: Java pushes Cyprus into a Blackhole - We Live Security

Win32/Cridex: Java pushes Cyprus into a Blackhole

Banking crisis in Cyprus is now being used in a spam campaign promoting the Blackhole exploit kit and the Win32/Cridex Trojan.

Banking crisis in Cyprus is now being used in a spam campaign promoting the Blackhole exploit kit and the Win32/Cridex Trojan.

[Update: hat tip to Kafeine for pointing out that we cited the wrong CVE number. Now corrected in the text.]

Sadly, Cyprus has been the source of bad news lately. Even sadder, nothing travels faster than bad news, and bad people are all too ready to use bad news to trick their victims into opening bad files. My colleague Aleksandr Matrosov has alerted us to a spammed out message crammed with malicious links. Here’s a screenshot:


Despite the apparently innocuous nature of the links, they actually all go to a site booby-trapped with the Blackhole exploit kit (hxxp://go-my.ru/cyprus_news.html). The page is detected by ESET as a phishing site and users are protected.


The malware uses the latest Java exploit CVE-2013-0431 and we detect the samples as Win32/Cridex.AA and Java/Exploit.Agent.NMK.


Following infection of the victim machine, the victim is redirected to the main BBC news page:


As you see, the story there isn’t quite as dramatic as the spam message implies, but of course the idea is to grab your attention and get you to click on a malicious link.


The malware’s payload is to drop Win32/Cridex (see Virus Radar for a map of Win32/Cridex). We are now on notice that unsolicited emails about the problems in Cyprus are to be treated with extreme caution.

Aleksandr Matrosov, Security Intelligence Team Lead
David Harley, Senior Research Fellow

Discussion