Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

“Catch Me If You Can” Trojan Banker Zeus Strikes Again (Part 2 of 5)

This is the second blog in this series of blogs. The previous blog provided a general overview of the attack.

"Catch Me If You Can" Trojan Banker Zeus Strikes Again (Part 1 of 5)

In this blog we will discuss the techniques used by the cyber-gang to exploit users' machines. We will analyze Blackhole Exploit Kit as the main attack vector that was used.

Blackhole Exploit Kit

An exploit kit is a Web tool that provides pre-packaged exploits of various vulnerabilities for multiple products, such as Internet Explorer, Adobe Reader, Java and more. Exploit kits are specifically designed for cybercriminals who lack any deep knowledge of programming or hacking. For as little as a few hundred dollars, any cybercriminal can easily start a cyber-attack.

The first version of the Blackhole exploit kit was released in September 2010. Since then, we have witnessed thousands of domains spreading exploits generated by this kit, making it the most popular exploit kit by far.

The version of Blackhole exploit kit that used in the attack serves the following exploits:

8174_1ac15b68-30a9-45d3-afaa-ac3073e067a4Table 1: Vulnerabilities packaged by version 1.2.1 of the Blackhole exploit kit

Below is a snippet of obfuscated code generated by Blackhole exploit kit:

11071_a738cefe-b708-4ffe-b041-f1b045d61ead

Figure 1: Obfuscated MDAC exploit generated by Blackhole exploit kit

The de-obfuscated code is as shown here:

11442_b9715e5d-fb5d-4863-9358-607911de68d5

Figure 2: De-obfuscated MDAC exploit CVE-2006-0003 generated by Blackhole exploit kit

Every several months, the author of the Blackhole exploit kit publishes updates which contain new exploits as well as new obfuscation techniques. It has gained popularity among cybercriminals due to its ever-evolving obfuscation techniques and its easy-to-use control panel.

Control Panel

One of the main parts of any exploit kit is a user-friendly and elegant-looking control panel. The screen shot below shows the Blackhole's control panel. Note: This is a general screenshot of Blackhole's control panel, and not one specific to this attack.

12394_e844937c-9db0-42fa-8fc0-ad0715129f7c
Figure 3: Blackhole exploit kit control panel

The Blackhole exploit kit control panel contains extensive information regarding the attack, including: statistics of infected systems, breakdown by countries, browsers, operating system and vulnerabilities.

According to the statistics presented in the screenshot, which are common in most exploit kit attacks, Blackhole exploited some browser (Internet Explorer) vulnerabilities along with vulnerabilities in applications such as Adobe Acrobat Reader and the Java Runtime Environment.

8742_37bb9e34-67c7-4fc2-814a-f71f6f5b9923

Figure 4: Thread panel allows administrators to execute multiple attacks on one instance

Using the threat panel, the Blackhole exploit kit allows the administrator to build multiple simultaneous attack programs. For example, the panel above shows one virus targeting PCs in the U.K., while another targets PCs in the U.S. Moreover, the threat panel is also being used as an affiliate program, where the administrator configures threats for users who don't buy the exploit kit but also wish to spread malware.

11717_c7014791-7c49-41d0-b9de-3001e30375a9
Figure 5: The virus detection function of Blackhole control panel

Blackhole exploit kit has implemented an option to check the detection of new malware using underground anti-virus file scanners such as scan4you.biz and virtest.com, similar to the Siberia exploit kit. The administrator can check every several hours to determine whether anti-virus vendors detect its malware, and if so, replace it with a new variant.[1]

In the next blog in this series we will show how the cyber gang control the bots before they get into action. We will discuss the advantages and the capabilities of the bot controller that was used in this cyber-attack.


[1] For more information about the Blackhole exploit kit, please see the M86 Security (now part of Trustwave) 2H 2011 Threat Report.

Latest SpiderLabs Blogs

Zero Trust Essentials

This is Part 5 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More