Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the infamous Blackhole exploit kit.
The initial infection arrives as spam mail that contains a redirection URL in the following format:
Figure 1: Spam email.
Figure 2: Spam URL.
Figure 3: Blackhole landing page redirector.
The second-level URL shows us the actual landing page of the Blackhole exploit kit, which leads us to this content:
Figure 4: Customized encoded Blackhole landing page.
Figure 5: Decoded Blackhole landing page (PluginDetect.js with malicious URL).
The following browser plug-ins are known to be targeted by the exploit kit:
- Java Runtime Environment
- Adobe PDF Reader
McAfee coverage for the PluginDetect.js zero-day threat is JS/Exploit!JNLP.d.
The following images show the PDF and Java downloading a malicious URL:
Figure 6: JAR file downloading the URL in PluginDetect.js.
Figure 7: PDF file downloading the URL in PluginDetect.js.
This chain redirection could leave victims infected with one of these malware families:
For more detail about the Blackhole exploit kit, please refer the McAfee Threat Advisory Library.
Thanks to my colleague Rohan Shah for his assistance with this blog.
Spam campaigns based on the Blackhole Exploit Kit send messages that contain links to compromised legitimate websites, which serve hidden iframes and redirections that exploit vulnerabilities across operating systems–from Android to Windows. Spam themes we have seen vary rapidly and are disguised to appear as legitimate messages from familiar services. Campaigns spoofing Facebook, LinkedIn, American Airlines, and various banking services carry embedded links to malware. Spammers abuse email templates from familiar service providers by capturing automated emails, replacing links in the template with links to malware, and rebroadcasting those messages to harvested or predicted recipients.
This tactic has proven effective for spammers. Recipients are likely to click links in familiar-looking emails and often create custom whitelist entries for common sending domains without enforcing Sender Policy Framework or DomainKeys Identified Mail validation.
The Messaging Security Team at McAfee Labs has closely monitored this trend and would like to share a few common traits from recent campaigns to aid in identification:
- Messages are disguised to appear as legitimate mails from well-known service providers
- Subject lines are very catchy and similar to those of any service provider
Subject line examples:
- Your Verizon wireless bill
- Pending Wire Transfer Notification – Ref: 15192
- TrustKeeper Network Scan Information
- BBC-Email: USA government decided to follow Cyprus and rise deposit taxes!!!
- [FIRSTNAME LASTNAME] left you a comment…
- Your order # ID[Random digits] has been completed
- URL paths commonly end in …/random_word.html or …/random_word.php
- Spammers recycle templates across campaigns. These emails could have embedded links to malware or attached .zip/executable files.
- Unsubscribe links are typically missing or replaced with malicious links
Blackhole Spam Samples
Fake wire-transfer campaign:
Fake LinkedIn campaign:
Fake Facebook campaign:
You will notice all of these samples have fake .html or .php links, which are highlighted in red in the foregoing samples. These are the links carrying payloads that we need to be aware off.
The bad guys will use many techniques to deliver their spam; social engineering is a reality. Messaging Security advises caution when clicking links in emails: hover first! Employ multiple layers of defense in your environment–from email defense to web security to antimalware, and keep those definitions up to date!
Contributor: Lionel Payet
Last week we saw how W32.Waledac was getting cozy with W32.Virut, but let us not forget about other spam botnets, like Trojan.Pandex (a.k.a. Cutwail), as they also persist in their propagation affairs.
The people behind W32.Cridex have used many attack vectors to spread the malware, including taking advantage of exploit kits like Blackhole, or attempting to deceive users with crafted PDF documents. This month they have managed to compose a more elaborate attack.
The attackers have managed to host a malicious HTML file at a legitimate web site, which has been compromised. This file would then redirect the user to a Blackhole exploit kit, which would deliver W32.Cridex to the compromised computer. But how did they attempt to deceive the user? By renting a botnet.
The Pandex botnet, also known as Cutwail and Pushdo, is not a new threat: it has been in the wild for more than six years and is responsible for roughly 18 percent of the spam emails detected by Symantec per day, worldwide. It not only sends spam, it is able to collect email addresses from compromised computers which can then be used in future campaigns. Symantec has several detections for the threat:
Using our telemetry systems, we can estimate the following distribution of the threat:
Figure 1. Heatmap illustrating the distribution of the Trojan.Pandex spam
W32.Cridex attack vector
The following image illustrates how W32.Cridex may arrive on a compromised computer.
Figure 2. W32.Cridex attack steps
Computers that were infected with Trojan.Pandex sent emails like the following:
Figure 3. Sample Trojan.Pandex email
If the user follows the link, a malicious HTML file hosted at judiciary.go.ke is then accessed, which would redirect the user to the following malicious URL:
The domain resolves to the following locations:
- 212.112.[REMOVED] (Germany)
- 89.111.[REMOVED] (Russian Federation)
- 91.224.[REMOVED] (Lithuania)
Symantec has a number of IPS detections for the BlackHole v2 exploit kit, and our telemetry data indicates that we have detected the following signatures from the malicious URL:
- Web Attack: Blackhole Exploit Kit Website 8
- Web Attack: Blackhole Exploit Kit
- Web Attack: Blackhole Functions
- Web Attack: Blackhole Toolkit Website 20
- Web Attack: Blackhole Toolkit Website 31
The following heatmap illustrates the distribution for the above detections:
Figure 4. Heatmap distribution for IPS detections associated with Blackhole exploit kit
If the Blackhole exploit is successful, W32.Cridex is then downloaded onto the compromised computer. Symantec has the following detections in place:
The worm then communicates with its command-and-control (C&C) servers, enabling the C&C servers to download, upload, and execute files on the compromised computer, potentially exposing the user to even more malware.
At the time of analysis, the C&C servers being used included:
After our analysis, we can confirm the findings of our colleagues from Dynamoo and that the compromised server has been notified and the malicious file removed.
We advise users to ensure operating systems and software are up to date and to avoid clicking on suspicious links while browsing the Internet or checking email.