“Cutwail has historically distributed the Gameover Zeus trojan through various themed spam campaigns combination with malicious embedded links that led to the Blackhole exploit kit,” explained Dell SecureWorks Counter Threat Unit (CTU) researchers in a blog. But because the arrest of alleged Blackhole mastermind “Paunch,” the kit’s encryption mechanism has been disabled and the daily updates that it was making to keep ahead of evolving security measures have stopped. So, Cutwail has turned to Magnitude, also known as Popads.
Cutwail uses a spammed social engineering lure to convince a user to download malware – and usually the lures are quite sophisticated and believable. A recent Cutwail campaign using Qantas Airlines was so convincing that Qantas issued its own warning via Facebook in December 2012: “Authentic Qantas 'Seat Selection' emails will contain your name and booking details and will not include an attachment.”
Magnitude is a much lesser-known and not widely used toolkit, but it essentially accomplishes the same thing as Blackhole. The Magnitude version of Cutwail asks the user to click to install a browser update, but instead, the user unknowingly installs Gameover Zeus. At the same time, a malicious iFrame redirects the browser to the Magnitude exploit kit. CTU researchers observed Magnitude installing the ZeroAccess trojan if the victim’s system was vulnerable to any of the attempted vulnerabilities.
Once downloaded, if the malware successfully opens communication with its C&C server, the sample Dell analyzed fetches Zeus/Zbot to steal account details via man-in-the-browser keystroke logging and form grabbing. “Once it is installed it is difficult to either detect or remove; and the best defense is to avoid infection,” Dell noted. “It was once estimated that 3.6 million PCs were infected in the US alone.”
“Cybercriminals quickly adjusted their operation to maintain continuity,” Dell noted. “Combining social engineering with exploit kits sets the stage for a successful campaign and maximizes the potential for infecting as many victims as possible.”