Blackhole exploit spam campaigns on the rise -

June 15, 2012

Dell Sonicwall Threats Research team continued to monitor new spam campaigns involving malicious URLs in the e-mail body. These malicious URLs point to Blackhole exploit kit hosting compromised websites that are currently serving Cridex banking Trojan. We posted about a similar campaign - Craigslist spam campaign last week.

We saw multiple new spam campaigns this week leading to the Blackhole exploit websites serving a new variant of the banking Trojan:

  • American Arlines Flight order
  • Amazon.com Order
  • Federal Tax Payment
  • Ebay.com purchase receipt
  • DHL Tracking information
  • Verizon wireless monthly statement (Started earlier today)
  • UPS shipment tracking number (Started earlier today)

We are currently seeing e-mails from the last two campaigns actively spammed in the wild. Geographic distribution of the Blackhole exploit hosting websites involved in these campaigns from the last two weeks is shown below:

One of the most aggressive campaigns involved e-mails with subject "RE: URGENT" and the e-mail body contained malicious Javascript and Iframe leading to the Blackhole exploit sites serving Cridex banking Trojan. Although the majority of e-mail clients in use today disable Iframes by default, there are still some clients like Outlook Express, some versions of Outlook, Thunderbird, and Windows Mail that allow it. Screenshot showing raw e-mail content from this spam:

If the user's e-mail client supports HTML and Iframes then simply opening up this e-mail would lead to the start of infection cycle that we discussed in our previous alert. The malicious code inside the e-mail ensures that a connection is made to a Blackhole exploit site. If the exploit is successfully executed it will infect the host with the latest variant of the Cridex banking Trojan.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Blacole.GB (Exploit)
  • GAV: BlacoleRef.W_2 (Trojan)
  • GAV: Blacole.gen_4 (Exploit)
  • GAV: Cridex.MLX (Trojan)