Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

“Catch Me If You Can” Trojan Banker Zeus Strikes Again (Part 2 of 5)

This is the second blog in this series of blogs. The previous blog provided a general overview of the attack.

"Catch Me If You Can" Trojan Banker Zeus Strikes Again (Part 1 of 5)

In this blog we will discuss the techniques used by the cyber-gang to exploit users' machines. We will analyze Blackhole Exploit Kit as the main attack vector that was used.

Blackhole Exploit Kit

An exploit kit is a Web tool that provides pre-packaged exploits of various vulnerabilities for multiple products, such as Internet Explorer, Adobe Reader, Java and more. Exploit kits are specifically designed for cybercriminals who lack any deep knowledge of programming or hacking. For as little as a few hundred dollars, any cybercriminal can easily start a cyber-attack.

The first version of the Blackhole exploit kit was released in September 2010. Since then, we have witnessed thousands of domains spreading exploits generated by this kit, making it the most popular exploit kit by far.

The version of Blackhole exploit kit that used in the attack serves the following exploits:

8174_1ac15b68-30a9-45d3-afaa-ac3073e067a4Table 1: Vulnerabilities packaged by version 1.2.1 of the Blackhole exploit kit

Below is a snippet of obfuscated code generated by Blackhole exploit kit:

11071_a738cefe-b708-4ffe-b041-f1b045d61ead

Figure 1: Obfuscated MDAC exploit generated by Blackhole exploit kit

The de-obfuscated code is as shown here:

11442_b9715e5d-fb5d-4863-9358-607911de68d5

Figure 2: De-obfuscated MDAC exploit CVE-2006-0003 generated by Blackhole exploit kit

Every several months, the author of the Blackhole exploit kit publishes updates which contain new exploits as well as new obfuscation techniques. It has gained popularity among cybercriminals due to its ever-evolving obfuscation techniques and its easy-to-use control panel.

Control Panel

One of the main parts of any exploit kit is a user-friendly and elegant-looking control panel. The screen shot below shows the Blackhole's control panel. Note: This is a general screenshot of Blackhole's control panel, and not one specific to this attack.

12394_e844937c-9db0-42fa-8fc0-ad0715129f7c
Figure 3: Blackhole exploit kit control panel

The Blackhole exploit kit control panel contains extensive information regarding the attack, including: statistics of infected systems, breakdown by countries, browsers, operating system and vulnerabilities.

According to the statistics presented in the screenshot, which are common in most exploit kit attacks, Blackhole exploited some browser (Internet Explorer) vulnerabilities along with vulnerabilities in applications such as Adobe Acrobat Reader and the Java Runtime Environment.

8742_37bb9e34-67c7-4fc2-814a-f71f6f5b9923

Figure 4: Thread panel allows administrators to execute multiple attacks on one instance

Using the threat panel, the Blackhole exploit kit allows the administrator to build multiple simultaneous attack programs. For example, the panel above shows one virus targeting PCs in the U.K., while another targets PCs in the U.S. Moreover, the threat panel is also being used as an affiliate program, where the administrator configures threats for users who don't buy the exploit kit but also wish to spread malware.

11717_c7014791-7c49-41d0-b9de-3001e30375a9
Figure 5: The virus detection function of Blackhole control panel

Blackhole exploit kit has implemented an option to check the detection of new malware using underground anti-virus file scanners such as scan4you.biz and virtest.com, similar to the Siberia exploit kit. The administrator can check every several hours to determine whether anti-virus vendors detect its malware, and if so, replace it with a new variant.[1]

In the next blog in this series we will show how the cyber gang control the bots before they get into action. We will discuss the advantages and the capabilities of the bot controller that was used in this cyber-attack.


[1] For more information about the Blackhole exploit kit, please see the M86 Security (now part of Trustwave) 2H 2011 Threat Report.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo