As a response to a flood of fake e-invoices hitting Germany and Switzerland in January 2014, I’ve introduced Feodo Tracker, aimed to help Internet users protecting themselves from a sophisticated ebanking Trojan called Feodo (also known as Cridex/Bugat). Just a day after I published Feodo Tracker, the daily spam runs of fake invoices hitting German and Swiss internet users suddenly disappeared. Apparently, the distribution of new Feodo binaries stopped completely. After publishing Feodo Tracker, I have not seen any new Feodo infection binaries, neither for Version A nor Version B. In fact I haven’t managed to find any traces of Feodo ever since.
I don’t know what happened, nor do I know whether Feodo Tracker was the reason for the disappearance of Feodo. However, a few weeks ago – more than 3 months after Feodo disappeared – I started seeing a completely new malware popping up that I had never seen before. Investigating the new threat revealed botnet C&C traffic to obviously compromised hosts on port 8080 TCP which immediately reminded me of Feodo (Version A). The new threat is being distributed since late May 2014 through fake e-invoices, using compromised SMTP credentials. Below are a few screenshots of recent spam runs distributing this new threat.
The botnet infrastructure used by this new threat as well as the way the malware is being distributed raised my suspicion that it might be a successor of Feodo. Talking to other security experts in the community strengthened my suspicions: The new malware is built on completely different code than Feodo, but the crypto code used for the botnet C&C communication seems to be almost the same as that one used by Feodo. In addition, Geodo uses the same botnet C&C infrastructure and distribution mechanism as Feodo. More over, the new malware is aimed to commit ebanking fraud – just like Feodo. Hence I do believe that this new threat can be considered a direct successor of Feodo. Some security experts started to call this new threat Geodo. What is new with Geodo is the fact that it is not only using port 8080 TCP to communicate with the botnet C&C server but also port 7779 TCP.
As a response to this new development, I’ve extended Feodo Tracker’s capabilities so that it now keeps track of Geodo botnet C&C servers as well. Geodo botnet C&C servers detected by Feodo Tracker will be labelled as Version C:
Recent Geodo malware distribution URLs (spammed out though compromised SMTP credentials, all hijacked websites):
Some recent Geodo malware samples (MD5 hash):
Sample Geodo botnet C&C traffic (all HTTP POST to port 8080):