The stolen SMTP credentials used by Geodo allows the malware to send out emails from legitimate accounts, according to the data published by the security firm, the Germany is the country with the major number of infections followed by Austria, Hungary and the US.
Banking users infected by Geodo were targeted through a phishing attack
, Phishing mails include a link to download a zip file containing the malware disguised as an invoice or Shipment PDF file.
“The C&C provides the malware with a batch of 20 targeted email addresses.The malware is also given a from address, subject line, and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails. And with each new batch of emails the C&C also sends a new from address, subject line, and body.”
“The emails we have seen, written in German, contain a link prompting the recipient to download a zip file which contains an executable disguised as a PDF document,” “By opening the file, Geodo [new version of Cridex] is installed on the newly infected endpoint, adding a new bot to the mix.” states Seculert in the blog post.
Like many other banking malware, also Geodo
is able to inject code
into the browser to conduct operations in the name of the victims and manipulate content proposed through the browser to the bank customer.
Banking customers must be aware that cybercrime
is very prolific, knowing the threats could help to mitigate them.