Related Stories

  • Author of Blackhole Exploit Kit Allegedly Arrested in Russia
    A security researcher tweeted yesterday, "Blackhole exploit kit author 'Paunch' and his partners arrested in Russia." There is no further corroboration, and nothing yet from the Russian authorities; but some circumstantial evidence suggests it may be true.
  • Cutwail spamming out Andromeda – using Qantas as the lure
    A current spam campaign from the Cutwail botnet is sending out the Andromeda bot loader (aka Gamarue) which subsequently downloads the Zeus banking trojan. Numerous spam themes are employed, including flight/ticket details, courier, tax, hotel, payroll, invoice, social media and others.
  • Malicious Apache server and Blackhole provide stealthy backdoor
    A modified version of an Apache web server is redirecting requests to the infamous Blackhole exploit kit. Researchers have unmasked a new bug being served up, dubbed Linux/Cdorked.A, as a sophisticated and stealthy backdoor meant to drive traffic to malicious websites.
  • Darkleech infects 20,000 websites in just a few weeks
    Security researchers have long been aware of the Darkleech threat; but general public awareness is new. It is Apache 2.2.2+ web server malware that infects web pages and seeks to redirect visitors to other sites hosting exploit kits.
  • If you think Blackhole is dangerous, watch out for Cool Exploit
    A new exploit kit pushing out the Reveton ransomware was noticed in the latter half of last year. Connections to Blackhole were soon revealed. Now it seems that the same gang is behind both kits.
  • Keeping the customer satisfied: cybercriminals focus on service
    Cybercriminals are shifting to a business model known as malware-as-a-service (MaaS), where authors of exploit kits offer extra services to customers in addition to the exploit kit itself. It was just one of the observations in Verisign’s '2012 iDefense Cyber Threats and Trends' report.

Top 5 Stories


Cutwail Spam Campaign Dumps Blackhole for Magnitude Exploit Kit

21 October 2013

Shortly after reports that the developer of the Blackhole exploit kit was arrested, one of the groups leveraging the Cutwail spam botnet to spread banking trojans has dumped the widely used exploit kit in favor of a different vector: the Magnitude kit, which delivers ZeroAccess and Zeus/Zbot to its victims.

“Cutwail has historically distributed the Gameover Zeus trojan through various themed spam campaigns combination with malicious embedded links that led to the Blackhole exploit kit,” explained Dell SecureWorks Counter Threat Unit (CTU) researchers in a blog. But because the arrest of alleged Blackhole mastermind “Paunch,” the kit’s encryption mechanism has been disabled and the daily updates that it was making to keep ahead of evolving security measures have stopped. So, Cutwail has turned to Magnitude, also known as Popads.

Cutwail uses a spammed social engineering lure to convince a user to download malware – and usually the lures are quite sophisticated and believable. A recent Cutwail campaign using Qantas Airlines was so convincing that Qantas issued its own warning via Facebook in December 2012: “Authentic Qantas 'Seat Selection' emails will contain your name and booking details and will not include an attachment.”

Magnitude is a much lesser-known and not widely used toolkit, but it essentially accomplishes the same thing as Blackhole. The Magnitude version of Cutwail asks the user to click to install a browser update, but instead, the user unknowingly installs Gameover Zeus. At the same time, a malicious iFrame redirects the browser to the Magnitude exploit kit. CTU researchers observed Magnitude installing the ZeroAccess trojan if the victim’s system was vulnerable to any of the attempted vulnerabilities.

Once downloaded, if the malware successfully opens communication with its C&C server, the sample Dell analyzed fetches Zeus/Zbot to steal account details via man-in-the-browser keystroke logging and form grabbing. “Once it is installed it is difficult to either detect or remove; and the best defense is to avoid infection,” Dell noted. “It was once estimated that 3.6 million PCs were infected in the US alone.”

“Cybercriminals quickly adjusted their operation to maintain continuity,” Dell noted. “Combining social engineering with exploit kits sets the stage for a successful campaign and maximizes the potential for infecting as many victims as possible.”

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×