After a month of minimal activity from the users of the Blackhole toolkit, today we began seeing a rather large campaign emanating from the darkest corners of the web. Boasting over one half a million pieces of mail so far, this malware campaign is coming into our filters at a pace of around 3000 pieces per minute from 47 different domains. These domains are scattered about residing in the likes of Norway, Germany, Italy, Australia and the United States currently with nary a peep from Belarus.
The emails arrive destined for victim mailboxes wearing one of three different costumes. One of these appears to be an invoice from the techie website newegg.com. It utilizes company logos and graphics that add to the believability. These contain a couple of variables that change somewhat randomly and are all in bold text. A “Customer ID” field reflects the addressee of the emails, a random 7 or 8 digit number represents the “Account Number” as well as the “Sales Order Number” and a final piece of bold text represents the supposed payment of the victim. This field changes between several popular payment forms such as AMEX, VISA, MASTERCARD or Preferred Account.
The other two disguises used by this campaign appear to come from ADP informing its recipients that they have been charged a large amount of money and that their invoice can be accessed via one of the several links included in the email. Unlike the newegg emails, the ADP emails contain no special graphics and are delivered in simple plain text with hypertext links.
If the victims are unlucky enough to have followed any of these links, they would be taken down a typical Blackhole path. First they are led to one of the 47 domains where silently their browser will be offered three javascripts that reside on three different domains, kalimat.egyta[dot]com/swearer/titan.js, www.asitecsrl[dot]com/servicemen/ethic.js, and www.mbbd[dot]it/dzerzhinsky/bewilders.js. These scripts simply send the victim to one of two other sites for their payloads - 4rentcolumbus[dot]com/news/cross_destroy-sets-separate.php or http://4rentcoloradosprings[dot]com/news/cross_destroy-sets-separate.php. The point of the redundancy in these two pivot points is to maintain the effectiveness of the campaign in case any one of these sites is taken down. The browser will just cycle on to the next link in order to get victims to the final payload.
After jumping through all of these invisible hoops, the browser will end on a page containing the signature obfuscated JavaScript we’ve come to expect from Blackhole. The code begins by exploiting vulnerability in Java to make its way on to the victims’ machines. Once there it secures its foothold by changing local firewall settings and adding itself to startup areas. Next it fingerprints its new host and begins communicating back to its command and control server sharing its new found information and awaits further commands.
These toolkits have been very prevalent over the past few years.The Redkit has been making itself better known over the past couple of months, and others such as Phoenix remain active as well. However, Blackhole created attacks continue to dominate the threat landscape.
AppRiver has you covered though by protecting you from the initial email attack with our SecureTide product, as well as protection from the following malicious network communications with our SecureSurf product (shameless plug).
****Originally posted on http://blogs.appriver.com/Blog/bid/96854/A-Malicious-Event-Horizon