Follow AppRiver

AppRiver Posts In Your Inbox

Your email:

Browse by Tag

Current Articles | RSS Feed RSS Feed

The Blackhole Moves In Closer

 

The Blackhole toolkit has been ubiquitous in the past few months. This toolkit leaves behind a tell-tale fingerprint and is easily spotted by its use of obfuscated JavaScript and redirects. This code has, until recently, found its place residing on malicious websites out in the dark murky backwaters of the internet. Today though, it decided it was going to come in for a closer look. Some emails belonging to one of its most recent campaigns started hitting our filters today masquerading as a scanned document from its recipient's domain's network printer.

The body gives little info about what's attached other than a scan, the number of pages, and the sender. These are all things you'd expect to see from a scan sent via the network, although the attachment is suspect. Normally you would expect to receive these images in something such as a PDF format. This one arrives as an HTM file. Once executed, the page launches locally, and victim's would see the page open in their browser that looked like this -

Meanwhile beneath the surface, their browser was interpreting this -

The malware attempts to make a connection to the domain cserimankra[dot]ru on port 8080 to download another script from /images/aublbzdni.php. If the destination is unreachable, the malware will begin to ping the domain stopbadware.org in order to establish whether or not it has connectivity to the web. Additionally, the malware makes all of its requests through port 1063 which is commonly used for the KyoceraNetDev protocol, which makes it look like normal network printer share traffic. Granted, it's Kyocera traffic and not HP traffic like it shows in the email, but still a pretty good way to hide its tracks a bit.

If allowed to connect to its command and control server, it downloads and creates a file by the name of gsxohsapcpklkti[dot]exe. This executable copies itself to Windows start-up areas where it's sure to run every time the victim PC is started, and begins pulling other exploit code packages from the sites samaragotodokns[dot]ru, hmvmgywkvayilcwh[dot]ru, and xvmzegestulhtvqz[dot]ru. After several files are created, run, hidden and deleted, the malware actively begins monitoring the victim's machine for sensitive information.

We have these variants blocked, but stay on your toes, and watch out for attacks such as these. Look for vague information, poor graphics, improper or even convincing attachments and links, and anything that may be out of place. Note that these emails appeared to have come from within the recipients' domain. This tactic is used a lot to lead potential victims into a false sense of security, don't let them fool you, and keep it safe out there!

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics