Blackhole exploit spam campaigns on the rise – (June 15, 2012)


Dell Sonicwall Threats Research team continued to monitor new spam campaigns involving malicious URLs in the e-mail body. These malicious URLs point to Blackhole exploit kit hosting compromised websites that are currently serving Cridex banking Trojan. We posted about a similar campaign – Craigslist spam campaign last week.

We saw multiple new spam campaigns this week leading to the Blackhole exploit websites serving a new variant of the banking Trojan:

  • American Arlines Flight order
  • Order
  • Federal Tax Payment
  • purchase receipt
  • DHL Tracking information
  • Verizon wireless monthly statement (Started earlier today)
  • UPS shipment tracking number (Started earlier today)

We are currently seeing e-mails from the last two campaigns actively spammed in the wild. Geographic distribution of the Blackhole exploit hosting websites involved in these campaigns from the last two weeks is shown below:

One of the most aggressive campaigns involved e-mails with subject “RE: URGENT” and the e-mail body contained malicious Javascript and Iframe leading to the Blackhole exploit sites serving Cridex banking Trojan. Although the majority of e-mail clients in use today disable Iframes by default, there are still some clients like Outlook Express, some versions of Outlook, Thunderbird, and Windows Mail that allow it. Screenshot showing raw e-mail content from this spam:

If the user’s e-mail client supports HTML and Iframes then simply opening up this e-mail would lead to the start of infection cycle that we discussed in our previous alert. The malicious code inside the e-mail ensures that a connection is made to a Blackhole exploit site. If the exploit is successfully executed it will infect the host with the latest variant of the Cridex banking Trojan.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Blacole.GB (Exploit)
  • GAV: BlacoleRef.W_2 (Trojan)
  • GAV: Blacole.gen_4 (Exploit)
  • GAV: Cridex.MLX (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.