Blackhole exploit kit (BHEK) spam attacks remain to be a prevalent threat up to this day. In fact, it is one of the top five consumer threats for 2012 due to its use of software vulnerabilities and social engineering tactic of leveraging companies like Verizon, Citibank AT&T, and Western Union among others. Furthermore, there are reports that BHEK recently released updates, which made this threat stealthier than before.
We have continuously monitored this threat and spotted several BHEK campaigns during the holidays. However, we noticed that the perpetrators behind these campaigns took a ‘holiday break’ so to speak since there weren’t any BHEK spam runs from Dec 30 until January 7.
And now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank, and Better Business Bureau. In particular, the Better Business Bureau BHEK spam claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit, which we detect as JS_BLACOLE.TPY.
According to senior threats researcher Loucif Kharouni, this year we will see a spike in toolkits and exploit kits that are arduous to detect. Moreover, we are expecting that cybercriminals will prefer creating more toolkits rather than making new malware.
Trend Micro Smart Protection Network protects users from BHEK spam runs by detecting the spam samples and malware, as well as blocking the related malicious URLs.
Toolkits like Blackhole Exploit Kit and Cool Exploit Kit are reportedly using the recent Java zero-day exploit that could lead to police ransomware infection. Trend Micro detects the REVETON payload (police ransomware) as TROJ_REVETON.RG and TROJ_REVETON.RJ respectively.
Update as of January 11, 2013 3:32 PM PST
Toolkits like Blackhole Exploit Kit and Cool Exploit Kit are reportedly using the recent Java zero-day exploit that could lead to police ransomware infection. Trend Micro detects the REVETON payload (police ransomware) as TROJ_REVETON.RG and TROJ_REVETON.RJ respectively.
Trend Micro users are protected from this attack via Deep security rule ID 1005177 – Restrict Java Bytecode File (Jar/Class) Download.
