Exploit Kit Replacement

Wednesday, October 23, 2013 @ 04:10 PM gHale

As it is with anything else in the business world, one product goes away and another comes in to take its place.

The same is true in the security environment as a group of cybercriminals using the Cutwail spam botnet to distribute malware switched from BlackHole to the Magnitude (Popads) exploit kit.

Police Bust Blackhole Creator Suspect
FBI Busts Drug Web Site Owner
Too Small for an Attack? Think Again
2 Teens Busted in Separate DDoS Attacks

Why? Because the author of BlackHole, who goes by the name of Paunch, is under arrest and the bad guys are trying to find a replacement for it. At least one group has started using Magnitude, said researchers from Dell’s SecureWorks.

The spam campaign the Dell team analyzed relies on bogus Pinterest emails that lead to a fake browser update website.

The Magnitude exploit kit installs the ZeroAccess Trojan by leveraging various vulnerabilities that might plague the victim’s system.

“Cybercriminals quickly adjusted their operation to maintain continuity. Combining social engineering with exploit kits sets the stage for a successful campaign and maximizes the potential for infecting as many victims as possible,” SecureWorks’ Counter Threat Unit (CTU) research team noted in a blog post.

Along the lines of BlackHole going away, Trend Micro researchers said all significant BlackHole spam runs ended. A calendar published by the company shows that all the major spam campaigns stopped following the arrest.

On underground forums, cybercriminals are discussing the news of Paunch’s arrest. Some are concerned the arrest of the exploit kit’s author might lead to the identification of BlackHole users, especially since the database that contains the list of clients is likely in the possession of law enforcement authorities.

Russian authorities still haven’t revealed Paunch’s real name or details of the arrest.

“In the long term, the impact of BHEK’s (BlackHole Exploit Kit) apparent demise remains somewhat unclear. Other exploit kits are available, but these may not have the support structure that Paunch was able to build with BHEK,” said Trend Micro’s Jonathan Leopando in the blog post.

Leave a Reply

You must be logged in to post a comment.