Blackhole Toolkit Rivals Zeus
IT has been a very familiar sight to see emails with malicious attachments pretending to be from popular shipping companies, fake IRS notifications, or other similar ploys end up in our filters here at AppRiver. Most of these are courtesy of the Zeus trojan, an easily recognizable kit born trojan hell bent on stealing banking information from unsuspecting victims. Zeus has been around for quite some time now, and due to its ease of accessibility on the underground forums, it has spread quite rapidly in the wild.
Lately, though, a lesser known toolkit by the name of Blackhole has been gaining in popularity. The Blackhole toolkit was released into the underground market less than a year a go and was being sold for around $1500 US per yearly license which included support. The cost was enough to keep the rookies away and allowed operators of the new toolkit to operate relatively under the radar. That is until May of this year when the kit was made available for free in many locations. Since then we have been seeing a steady increase in the number of infections for which this kit is responsible.
Initially Blackhole would simply infect legitimate websites with the proper vulnerabilities which passersby would visit and become infected via drive-by download. Now, however, an email component has been added to increase traffic to these sites which instead of being only legitimate compromised sites primarily now include a slew of random sites set up for the sole purpose of snaring victims.
Currently we are seeing a new campaign linked to the Blackhole kit, with a new batch of domains also associated. These emails are made to look like an automated email notification from a Hewlett-Packard OfficeJet Printer. The email purports that a document was scanned and sent to the recipient, and even offers handy links from which to view them.
Currently we are seeing well over 1500 domains serving up this Blackhole toolkit created malware, and over 4.5 million pieces of emails at a rate of 30,000 per minute hitting our filters related to this most current campaign.