News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
Exploit Kits "Lacking P(a)unch"
Posted by Ran Mosessco on 17 December 2013 02:00 PM

Criminal groups formerly using the Blackhole exploit kit experiment with the Magnitude exploit kit, social engineering techniques, direct attachments, phishing, and fraud


Over the past two months, the criminal gangs that were using malicious email redirecting to the BlackHole exploit kit have made major changes to their tactics, techniques, and procedures, providing some interesting insights into the financially motivated cyber criminal community.  While there has been a considerable amount of discussion about "what is the next big exploit kit?," after the arrest of Blackhole creator Paunch, data from the Websense® ThreatSeeker® Intelligence Cloud (described in detail below) shows that a major criminal group is trending away from Blackhole, and instead experimenting with the up-and-coming Magnitude exploit kit, but not at the volume and frequency we have come to expect from them. In addition, we have observed another major group using Cutwail that appears to have shifted from originally using Blackhole to deliver Pony and ZeuS GameOver malware to focusing increasingly on direct attachments for delivery.


Below is a timeline describing email-based attack trends that we have observed during the recent decline of Blackhole


  • Late September 2013 had a typical mix of attachment and non-attachment spam on the Cutwail botnet with heavy usage of the Blackhole exploit kit to deliver malware.
  • October 4-9 - news broke of the arrest of Blackhole creator Paunch.
  • October 16-18, November 12 - we saw malicious email with the same type of redirection code that had been leading to the Blackhole exploit kit redirecting to the up-and-coming Magnitude exploit kit ("/news/" or "ru:8080" gang).
  • On October 1, October 28, December 4, 5 - we saw URL structures that formerly redirected to Blackhole lead to "American Express themed" phishing pages (3 .js URLs in each page, a URL structure used by the "/topic/" or "Pony/ZeuS GameOver" gang).
  • On December 11-13 - we noticed a shift in URLs formerly used by the "/closest/" gang to connect to Blackhole leading to fraudulent "work from home" and "diet" pages.  



One of the most prolific botnets in existence, Cutwail, at one time had the capacity to produce up to 46% of global spam (according to research reports). Cutwail is commonly used by criminal groups to distribute spam targeting the financial industry via malware capable of stealing banking credentials and credit card numbers. Historically, malicious email sent from the Cutwail botnet has contained a mixture of URLs and ZIP attachments with executables.The intent of Cutwail campaigns is typically to focus on stealing banking credentials and credit card numbers, the email typically impersonate popular banks and financial institutions, major social networks, news organizations, and online retail sites.  URL links contained in these email have typically redirected to the Blackhole exploit kit, which deliver downloaders for malware (with ZeuS GameOver variants being the majority). A second approach uses malicious ZIP attachments in Cutwail email that contains executables that eventually download ZeuS GameOver variants. However, this approach is not as technically sophisticated as the previous technique of a URL leading to the Blackhole exploit kit that does not require a user to "double-click" an executable to infect their computer. 

In early October 2013, Paunch, the proprietor of the infamous Black Hole exploit kit, was arrested by Russian authorities which affected the business model of a few cyber criminal gangs. In the wake of Paunch's arrest, there has been quite a bit of discussion about the future of Blackhole and competitive exploit kits. Security researcher Kafeine has a detailed analysis of the different gangs that were using Black Hole and their activities before and after the arrest.


A shift in tactics

According to Websense telemetry, it appears that since Paunch's arrest in October 2013, the focus of large-scale malicious email campaigns sent via Cutwail has shifted to using attachments, with a short fling using the up-and-coming Magnitude exploit kit seen in October and November (/news/ gang), phishing campaign in December (/topic/ gang).

The data above is generated from one of the Websense real-time analytics that detects Cutwail spam bot campaigns. The analytic operates both in our honeypot and production environments, and outputs both the total number of email that it detects (containing both malicious links and ZIP attachments), and the subset of email containing attachments (ZIP mostly). While this particular real-time analytic captures only a sample of the Cutwail SPAM that we block, the breakdown of SPAM email with attachments with our real-time analytics to detect exploit kits illustrates a clear trend, initially moving away from Blackhole after Paunch's arrest, experimenting with Magnitude but at lower volume than before, and then moving almost entirely to direct email attachments. It is important to remember that more than one criminal group is using Cutwail. We differentiate gangs based on their malware delivery techniques and targets.


Why the shift?

It is important to remember that cyber criminals are financially motivated. The business arrangements between the criminal gangs and Paunch were lucrative, and it may be the case that Magnitude's business model or effectiveness (most likely measured by infection rate) did not justify the cost for the gang  ("/news/" or "ru:8080 gang") that experimented with it, to go full bore as we have seen in their earlier campaigns. Another surprising conclusion could be that the "/topic/" or "Zeus GameOver" gang have seen that direct attachments to email are still effective, and they have decided to invest their resources in other areas.

Similarly, use of existing attack infrastructure for redirection to phishing pages or to less sophisticated malware download sites can be the criminals' way of experimenting with new techniques until a good working relationship is established with the people behind one or more of the existing (or upcoming) exploit kits.

Incidentally, we have seen that some of the ZeuS variants that are delivered through attachments, such as the Upatre downlader, continue to download other malware. Given enough time to run on a victim machine, Upatre sometimes downloaded ransomware such as CryptoLocker, which may have been generating increased revenue for criminal gangs, even with lower infection rates after the decline of Blackhole.


What's next?

We predict that in the next months, there will be a return to URL-based email attacks utilizing exploit kits that offer "malware as a service" on a larger scale. The use of exploit kits is simply a more effective delivery mechanismespecially with an increasingly security-aware target audience. 

Read more »

Fox News-themed Malicious Email Campaign [UPDATED]
Posted by Jason Hill on 28 June 2013 02:53 PM

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, discovered an interesting malicious email campaign using spoofed email addresses from Fox News domains in an attempt to ultimately lure victims to websites hosting the Blackhole Exploit Kit. Should the exploit and compromise be successful, a malicious payload related to the Cridex family appears to be delivered which, as detailed in an earlier Websense Security Labs blog, is typically used to steal banking credentials as well as the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. These emails, discovered early on the morning of June 27th,  featured “breaking news” subjects and mimicked legitimate news content related to the US Military moving into Syria in order to entice the victim to 'click' on the malicious links. The campaign appears to have targeted a variety of industries and countries, as of 1600 PST on June 27th, the Websense ThreatSeeker® Intelligence Cloud had detected and blocked over 60,000 samples.

Email Screenshot:


Intercepted emails generated interest as they are highly convincing as breaking news alerts and are targeting highly popular and polarizing topics such as Immigration reform, the war on terror, and sending troops to Syria. Example email subjects include:

  • U.S. Military Action in Syria - is it WW3 start?
  • US deploys 19,000 troops in Syria
  • Obama Sending US Forces to Syria

Malicious Email Analysis

The emails above contain links that follow a series of redirections leading to a BlackHole exploit kit which delivers a malicious PDF. Once opened, the malicious PDF executes embedded and obfuscated JavaScript code which delivers an exploit (CVE-2010-0188). In the event the exploit is successful, the shellcode downloads a malicious component from: hxxp://


Redirection Chain:


The malicious component downloaded by the shell-code is characterized as a Trojan that is capable of downloading malicious files onto a compromised computer and spreading itself via mapped and removable drives.

Malicious component:

About the PDF file:

Malicious PDF Analysis

First Stage - Obfuscated JavaScript embedded in PDF:


Second Stage:


The third and final stage reveals the shellcode and URL:

Should the malicious PDF successfully exploit the victim's machine, it creates a Windows Registry entry in order to maintain persistence by running automatically as the system starts:


Once executed, a number of HTTP connections on port 8080 are opened in order to download additional malicious payloads:

Associated Domains

The domain (hxxp:// that hosts the malware downloaded by the PDF exploit above was first registered on June 25th, 2013. In that time, it has resolved to three different IP addresses (,, and has hosted multiple pieces of malware which resulted in it being characterized as a malicious website by the Websense ThreatSeeker® Intelligence Cloud nearly immediately.

Malicious domain (hxxp://
Contact email:
Registrant: Cabrieto, Debbie

A WhoIS lookup on the contact email and registrant indicates that a second domain was registered on the same day (hxxp:// This domain does not resolve yet, but is likely to be used for malicious purposes in the future.

Impact and Protection

The overall efficacy of this campaign is difficult to judge, but the combination of a relatively high level of sophistication in the attacker’s social engineering and the utilization of relatively recent exploits and malware result in an increased risk to targeted systems. Websense provided protection from this campaign at multiple stages. Correlating this attack to the 7 stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:

  • Stage 2 (Lure) - The Fox News themed email campaign
  • Stage 3 (Redirect) - The websites that take the user to the delivery of the exploit code
  • Stage 4 (Exploit Kit) - Real-time detection of the BlackHole exploit kit that was used in this attack
  • Stage 6 (Call Home) - The malicious PDF launches code that reaches out to a server known to host malware and that is blocked via Websense. Further, analytics have been added that detect and block the C2 protocol used by the PDF
  • Stage 7 (Data Theft) - Websense DLP (data loss prevention) tools are capable of detecting and stopping the exfiltration of sensitive information with advanced feature sets such as Drip DLP, OCR analysis and covert channel detection




Tuesday, July 2, 2013:

Websense Labs, via our ThreatSeeker Intelligence Cloud, have identified a modification to this campaign; using Pinterest as it's platform, the update informs the recipient their Pinterest account is in need of updating and suggests they follow a link to do so - clicking on this link results in action which is identical to the Fox News campaign, mentioned in the initial blog.

As always, Websense keeps it's users safe through the7 stages of Advanced Threats, via our Advanced Classification Engine.

Read more »