Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit

Shortly after reports that the developer of the Blackhole exploit kit was arrested, one of the groups leveraging the Cutwail spam botnet changed tactics, switching which exploit kit they use to distribute malware. Cutwail has historically distributed the Gameover Zeus trojan through various themed spam campaigns (see Figure 1) in combination with malicious embedded links that led to the Blackhole exploit kit. Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a shift by one of the groups using the Cutwail botnet from Blackhole to another exploit kit known in the security community as Magnitude (formerly known as Popads).

Figure 1. Example of spam lure distributed by the Cutwail botnet. (Source: Dell SecureWorks)
Figure 1. Example of spam lure distributed by the Cutwail botnet. (Source: Dell SecureWorks)

The spam email contains an embedded malicious link that opens a website and displays the message “We detected your browser is NOT up-to-date” (see Figure 2).

Figure 2. Example of fake 'update your browser' website. (Source: Dell SecureWorks)
Figure 2. Example of fake “update your browser” website. (Source: Dell SecureWorks)

This message is part of a social engineering ploy to convince users to download and run an executable. Instead of a browser update, the user unknowingly installs Gameover Zeus. At the same time, a malicious iFrame redirects the browser to the Magnitude exploit kit. CTU researchers observed Magnitude installing the ZeroAccess trojan if the victim’s system was vulnerable to any of the attempted vulnerabilities:

Figure 3 shows the network activity for the Magnitude exploit kit from the landing page, and the ZeroAccess geographic lookup using the Maxmind JavaScript API.

Figure 3. Request chain associated with Magnitude exploit kit. (Source: Dell SecureWorks)
Figure 3. Request chain associated with Magnitude exploit kit. (Source: Dell SecureWorks)

Cybercriminals quickly adjusted their operation to maintain continuity. Combining social engineering with exploit kits sets the stage for a successful campaign and maximizes the potential for infecting as many victims as possible.

CTU researchers recommend that customers use available controls to restrict access using the indicators in Table 1. The domains listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.

Indicator

Type

Context

hxxp://netderegalos.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://netderegalos.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://composite-namviet.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://sibcorona.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://papakarolalbum.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.076671179.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://pastrotarians.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://preordersite.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://bdparty24.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.kentinghome.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://gpllink.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://post41.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://abldg.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.thistledki.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://glavelectro.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://energy-linksllc.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://aquapaints.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://eintracht-mensengesaess.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://ozbaraklikasabasi.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://jeostatik.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://naranshigtgee.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://hasaysuenerji.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://hhozeainterios.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://matrixcl.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://electronelectronic.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://meganrosebill.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://coedsportsnet.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.lhm22.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://appleteknik.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://makeupstil.crystaldemon.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://nealclaimsconsulting.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://barlboroughspa.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.pentasbakat.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://vitalinegroup.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://property-maintenance-ltd.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://ffhkl.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://sztambuch.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://corps-professions-liberales.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://otodemirgil.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://lisarde.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://footballdesktop.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://attentiveinsurance.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.imaroci.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://atilanoseguros.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.ownersteak.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://canadapaperandlumber.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://dsahanddairy.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://jan-bd.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://mape.spidergim.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://facilities-management-ltd.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://mpcityhall.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://azaranmachine.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://lorenzobergamini.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://nicholsonremodeling.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://dovilio.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://motoravto.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://elizegiharategia.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.xianghone.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://mountainparkmall.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://disneyfashion-bd.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://ksico.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://excellenceinprocurement.yewbarrow.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://stal-stroy.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://jurvanelectronics.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://magasinmedical.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://everythingiceland.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://hotbeams.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://ski-sochi.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://russoffice.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://ultra-erection.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://irasakisushi.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://flowersperth.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.centromedicosanpaio.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://whooradio.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://fa.mojallalcatering.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://marihuana.spidergim.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://balbinoehijos.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://gobuygift.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://brookswags.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://aticoencarcaixent.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://stronawnet.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://libplppws.com/messag_id.html

URL

Link pointing to the exploit kit

hxxp://www.dungye.com/messag_id.html

URL

Link pointing to the exploit kit

Table 1. Indicators associated with these threats.

5 thoughts on “Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit

  1. Pingback: Cutwail Cybercriminals Replace BlackHole with Magnitude Exploit Kit | Cyber Security Infotech(P) Ltd

  2. Pingback: LOS CIBERDELINCUENTES QUE UTILIZAN CUTWAIL REEMPLAZARON A BLACKHOLE CON EL KIT DE EXPLOTACIÓN MAGNITUDE | SR HADDEN CONSULTING GROUP

  3. Pingback: Cutwail Spam Campaign Dumps Blackhole for Magnitude Exploit Kit | Linux information blog for Root Admins and Users

  4. Pingback: Actus Sécurité Grand public 2013 S44 | La Mare du Gof

  5. Pingback: CryptoLocker Ransomware - The Unsuspecting Bit

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Online Tools

  • Print this Page
  • Share This Resource







By completing this form you'll be opting in to receiving future communications about products and services from Dell SecureWorks.