Incident Response, Malware, TDR

Infostealer Bugat resurfaces with worm component

Data-stealing malware known as “Bugat” now boasts a new capability that could quicken the trojan's profileration on users' machines.

According to Aviv Raff, CTO of advanced threat detection firm Seculert, the malware, also known as “Cridex,” leverages a “self-spreading infection method," or worm component. Bugat allows attackers to log into simple mail transfer protocol [SMTP] servers using stolen credentials, and send malicious emails containing links to more Bugat malware, Raff's Tuesday blog post said.

The stolen SMTP credentials appeared to come from Cridex victims, the blog post explained.

“Through further analysis of this attack, we were able to determine that the [the worm] is provided with approximately 50,000 stolen SMTP account credentials including the related SMTP servers to connect to,” Raff said. “The bot then uses these credentials to target mostly Germany accounts by impersonating legitimate email.”

Bugat, which targets Windows platforms, receives 20 email addresses at a time from its command-and-control server, and goes on to spam victims in batches, the blog post said. With each new batch, attackers change the email subject line, sender address and content of the message – likely to ensure that the phishing emails are not flagged as spam or deemed suspicious.

In a Tuesday email correspondence with, Raff further explained that Bugat “steals everything, from browser sessions to files,” of victims.

“As this is information stealing malware, it appears the attackers can profit from this information in many different ways, from gaining access to lucrative accounts and enterprise networks, to selling this information to other adversaries who may find this information more interesting,” Raff wrote.

In a February report, Dell SecureWorks Counter Threat Unit (CTU) released a report on the top banking botnets of 2013, naming Bugat as one of the major trojans in the pack. While Gameover Zeus and Citadel were the top two malware threats of that year, Bugat accounted for two percent of the trojan activity detected.

Though it appeared that the recent Bugat campaign primarily targeted German-speaking users, Raff said that the number of infections continues to climb.

“This campaign is still active, and the number of infections seems to be growing as we see the number of stolen SMTP credentials, downloaded by the email worm component, increase,” Raff said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.