Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment.
Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks.
Figure 1. Spammed message
These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other.
The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here.
Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure. We are continuously looking out for new threats in order to protect our users. In the meantime, we block the spam messages, websites, and files associated with this threat.
Additional analysis by Emmanuel Nisperos