The Latest in IT Security

Spam campaign uses Blackhole exploit kit to install SpyEye


This article was written in collaboration with my colleague Jean-Ian Boutin.

The Wigon botnet (also known as Cutwail) is being used in a massive spam campaign. A multitude of ruses are used to get the user to click on a link: fake LinkedIn or Facebook notifications, free Windows licenses, fake deliveries etc. The links are pointing to the Blackhole exploit kit which attempts to install malware on the computer via unpatched security flaws. The kit attempts to use the recently added exploit CVE-2011-3544 for Java. A lot of systems have not yet been patched for this vulnerability leaving them at risk of being compromised; screenshots of Blackhole panels published by french malware researchers Xylitol and Malekal both show infection success rates over 80%.

CVE-2011-3544 now exploited by Blackhole

The following screenshot shows a part of the decompiled code of the Java applet used by Blackhole which is exploiting the flaw. 

JAR file exploiting CVE-2011-3544

One of the file dropped through this spam campaign is a SpyEye sample detected as Win32/Spy.SpyEye Trojan by ESET. This banking trojan was configured to steal banking information from clients of BAWAG PSK, the fourth largest bank in Austria. Once a computer is infected, the malware has the ability to change the webpages content seen by the user when visiting BAWAG eBanking services. The following screenshots show that the phishing warning as well as the bank contact information is removed from the login page by the malware .

Phishing warnings and contact information removed by SpyEye

Once the user logs in, his personal information is stored and sent to the C&C server. According to the SpyEye tracker, the C&C server used by this sample is still online and is hosted in Azerbaijan.

An obfuscated JavaScript is inserted in the eBanking webpage and is used to transfer money from the user account to the cybercriminal account. This script has also the ability to hide operations that were done on the user account by modifying the content of the account balance and transfer history. The following screenshot shows a code snippet used to modify the account balance in order to hide a transfer that has already occurred.

Finally, here is a screenshot showing the code used to send status information when a successful transfer occurs.

BAWAG PSK has been notified of this targeted attack. As always we advise our readers not to click links in spam or suspicious messages and to keep their installed software and antivirus up to date.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments