Shortly after reports that the developer of the Blackhole exploit kit was arrested, one of the groups leveraging the Cutwail spam botnet changed tactics, switching which exploit kit they use to distribute malware.
Cutwail has historically distributed the Gameover Zeus trojan through various themed spam campaigns (see Figure 1) in combination with malicious embedded links that led to the Blackhole exploit kit. Dell SecureWorks Counter Threat Unit™ (CTU™) security intelligence researchers have observed a shift by one of the groups using the Cutwail botnet from Blackhole to another exploit kit known in the security community as Magnitude (formerly known as Popads).
Figure 1. Example of spam lure distributed by the Cutwail botnet. (Source: Dell SecureWorks)
The spam email contains an embedded malicious link that opens a website and displays the message “We detected your browser is NOT up-to-date” (see Figure 2).
Figure 2. Example of fake "update your browser" website. (Source: Dell SecureWorks)
This message is part of a social engineering ploy to convince users to download and run an executable. Instead of a browser update, the user unknowingly installs Gameover Zeus. At the same time, a malicious iFrame redirects the browser to the Magnitude exploit kit. CTU researchers observed Magnitude installing the ZeroAccess trojan if the victim’s system was vulnerable to any of the attempted vulnerabilities:
- CVE-2011-3402
- CVE-2012-0507
- CVE-2013-2463
- CVE-2013-2551
Figure 3 shows the network activity for the Magnitude exploit kit from the landing page, and the ZeroAccess geographic lookup using the Maxmind JavaScript API.
Figure 3. Request chain associated with Magnitude exploit kit. (Source: Dell SecureWorks)
Cybercriminals quickly adjusted their operation to maintain continuity. Combining social engineering with ex ploit kits sets the stage for a successful campaign and maximizes the potential for infecting as many victims as possible.
CTU researchers recommend that customers use available controls to restrict access using the indicators in Table 1. The domains listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.
| Indicator | Type | Context |
|---|---|---|
| hxxp://netderegalos.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://netderegalos.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://composite-namviet.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://sibcorona.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://papakarolalbum.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.076671179.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://pastrotarians.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://preordersite.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://bdparty24.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.kentinghome.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://gpllink.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://post41.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://abldg.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.thistledki.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://glavelectro.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://energy-linksllc.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://aquapaints.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://eintracht-mensengesaess.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://ozbaraklikasabasi.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://jeostatik.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://naranshigtgee.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://hasaysuenerji.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://hhozeainterios.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://matrixcl.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://electronelectronic.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://meganrosebill.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://coedsportsnet.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.lhm22.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://appleteknik.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://makeupstil.crystaldemon.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://nealclaimsconsulting.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://barlboroughspa.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.pentasbakat.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://vitalinegroup.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://property-maintenance-ltd.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://ffhkl.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://sztambuch.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://corps-professions-liberales.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://otodemirgil.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://lisarde.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://footballdesktop.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://attentiveinsurance.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.imaroci.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://atilanoseguros.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.ownersteak.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://canadapaperandlumber.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://dsahanddairy.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://jan-bd.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://mape.spidergim.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://facilities-management-ltd.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://mpcityhall.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://azaranmachine.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://lorenzobergamini.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://nicholsonremodeling.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://dovilio.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://motoravto.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://elizegiharategia.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.xianghone.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://mountainparkmall.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://disneyfashion-bd.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://ksico.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://excellenceinprocurement.yewbarrow.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://stal-stroy.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://jurvanelectronics.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://magasinmedical.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://everythingiceland.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://hotbeams.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://ski-sochi.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://russoffice.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://ultra-erection.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://irasakisushi.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://flowersperth.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.centromedicosanpaio.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://whooradio.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://fa.mojallalcatering.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://marihuana.spidergim.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://balbinoehijos.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://gobuygift.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://brookswags.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://aticoencarcaixent.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://stronawnet.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://libplppws.com/messag_id.html | URL | Link pointing to the exploit kit |
| hxxp://www.dungye.com/messag_id.html | URL | Link pointing to the exploit kit |
Table 1. Indicators associated with these threats.
Tendance actuelle...
.png?h=310&iar=0&w=420&hash=0B9488A86028BA379F679DEDB451DABC?io=transform:fit,width:870,height:490)