Win32/Cridex: Java pushes Cyprus into a Blackhole

Sadly, Cyprus has been the source of bad news lately. Even sadder, nothing travels faster than bad news, and bad people are all too ready to use bad news to trick their victims into opening bad files. My colleague Aleksandr Matrosov has alerted us to a spammed out message crammed with malicious links. Here is a screenshot:

Spam Cridex

Despite the apparently innocuous nature of the links, they actually all go to a site booby-trapped with the Blackhole exploit kit (hxxp://go-my.ru/cyprus_news.html). The page is detected by ESET as a phishing site and users are protected.

Alert from ESET

The malware uses the latest Java exploit CVE-2013-1493 and we detect the samples as Win32/Cridex.AA and Java/Exploit.Agent.NMK.

Exploit Wait

Following infection of the victim machine, the victim is redirected to the main BBC news page:

As you see, the story there isn’t quite as dramatic as the spam message implies, but of course the idea is to grab your attention and get you to click on a malicious link.

loading the BBC Home Page is the end of this exploit

The malware’s payload is to drop Win32/Cridex (see Virus Radar for a map of Win32/Cridex). We are now on notice that unsolicited emails about the problems in Cyprus are to be treated with extreme caution.

Aleksandr Matrosov, Security Intelligence Team Lead
David Harley, Senior Research Fellow

Ready for the right solutions?

It’s time to offload your technology troubles and security stress.

"*" indicates required fields