April Sees Spikes in Geodo Botnet Trojan

Throughout April, our Phishing Defense Team observed an increase in malicious URLs that deliver the financial crimes and botnet trojan known as Geodo. These emails take a simple approach to social engineering, using just a sentence or two prompting the victim to click on a link to see a report or invoice that has been sent to them.

An example of a typical phishing email used in these attacks is shown below:

Following the malicious links will lead the victim to download a hostile JavaScript application or PDF document tasked with obtaining and executing Geodo malware. One common attribute of these messages is the use of the words “invoice” or “order” as a common substring in the subject lines.

Below are some examples of subject lines we have observed:

Emails containing malicious links providing the PDF documents used to deliver this malware have also been found to contain the word “attachment” somewhere within in the subject line.

When the victim executes the JavaScript application or opens the PDF document, scripting content is used to download and execute the Geodo malware sample. The list below contains a representative sampling of payload locations used to deliver Geodo:

Once the Geodo payload is in place on the victim’s computer, it will connect to the Geodo command and control infrastructure allowing the attacker to collect sensitive information from the infected machine.

Listed below are command and control hosts that have been observed during our analysis:

The core functionality of the Geodo trojan lies in its ability to collect sensitive information from infected machines and their users. Sophisticated browser-based information stealing functionality provided by Geodo includes form grabs and HTTPS man-in-the-middle attacks. Geodo also sports the ability to produce new sets of phishing emails, delivering itself to new potential victims.

Full List of Geodo IOCs collected by the Phishing Defense Center

Infection URLs (Where the malware was originally downloaded from):

Payloads:

Command and Control hosts:

Recommendation:

PhishMe cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for unexpected emails that contain subject lines referring to invoices or attachments, and email bodies that ask you to visit a link to see an invoice or report. PhishMe Simulator customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.

Want to be notified of the latest malware strains and phishing threats? – sign up for our complimentary PhishMe Threat Alerts service, delivered straight to your inbox.

PhishMe Adds New Modules to CBFree to Help All Organizations Thwart Ransomware and Business Email Compromise
Orange is the New Hack?

Leave a Reply