The Blackhole Exploit Kit is one of the most notorious exploit kits currently in circulation among the cybercriminal underground today. Thus, we continuously monitor for incidents and attacks involving the exploit kit itself.
Last week we reported about the spam campaign leveraging the birth of Prince William’s and Kate Middleton’s son. Our analysis of the campaign yielded its connection to other currently-ongoing campaigns that used other recent news events, such as the controversy surrounding the upcoming movie Ender’s Game.
Some of the other connected campaigns also used Facebook and eBay as lures to get users to click malicious links.
The volume of spammed messages related to this spam run reached up to 0.8% of all spam messages collected during the time period — a relatively large percentage compared to other runs. We’ve also identified a list of countries that we detect where the bulk of the spam is coming from, and found that a large portion of them were from the US.
Another notable aspect of this run is its payload, which includes the information stealer TSPY_FAREIT. TSPY_FAREIT variants are often used as payload in campaigns that leverage BHEK.
The exact variant in this particular run, detected as TSPY_FAREIT.AFM, not only steals FTP client account information on the system it affects, but also steals stored email credentials, stored login information from browsers and ALSO brute-forces Windows login with a list of predetermined passwords. It basically plunders the affected computer of personal information that can be used to compromise the user’s financial accounts, personal information and even the security of the system they’re using.
These recent developments regarding this particular exploit kit can certainly be disconcerting, but nothing particularly new in regards to BHEK being used in new, unpredictable ways. What we can glean from this, however, is that even such an old approach is still effective in getting victims, which means that more users need to be protected about this threat. And user protection is not all that hard – as we’ve reminded everyone in the past, guarding against this kind of threat is a simple matter of a)being vigilant against socially-engineered attacks and b) having a security solution that blocks out the threats themselves.
Infection can be avoided by extra vigilance by users on not clicking on the links that present themselves through suspicious mails such as these. Other precautions include: always installing the latest Java security update (Find out more on how you can use Java safely here), and using a web reputation security product.
Trend Micro users are protected from all the malicious elements involved in this overarching spam campaign. For more information regarding the Blackhole Exploit Kit, refer to our paper on the subject here.
With additional inputs from Matt Yang and Rhena Inocencio.
