Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

“Catch Me If You Can” Trojan Banker Zeus Strikes Again (Part 2 of 5)

This is the second blog in this series of blogs. The previous blog provided a general overview of the attack.

"Catch Me If You Can" Trojan Banker Zeus Strikes Again (Part 1 of 5)

In this blog we will discuss the techniques used by the cyber-gang to exploit users' machines. We will analyze Blackhole Exploit Kit as the main attack vector that was used.

Blackhole Exploit Kit

An exploit kit is a Web tool that provides pre-packaged exploits of various vulnerabilities for multiple products, such as Internet Explorer, Adobe Reader, Java and more. Exploit kits are specifically designed for cybercriminals who lack any deep knowledge of programming or hacking. For as little as a few hundred dollars, any cybercriminal can easily start a cyber-attack.

The first version of the Blackhole exploit kit was released in September 2010. Since then, we have witnessed thousands of domains spreading exploits generated by this kit, making it the most popular exploit kit by far.

The version of Blackhole exploit kit that used in the attack serves the following exploits:

8174_1ac15b68-30a9-45d3-afaa-ac3073e067a4Table 1: Vulnerabilities packaged by version 1.2.1 of the Blackhole exploit kit

Below is a snippet of obfuscated code generated by Blackhole exploit kit:


Figure 1: Obfuscated MDAC exploit generated by Blackhole exploit kit

The de-obfuscated code is as shown here:


Figure 2: De-obfuscated MDAC exploit CVE-2006-0003 generated by Blackhole exploit kit

Every several months, the author of the Blackhole exploit kit publishes updates which contain new exploits as well as new obfuscation techniques. It has gained popularity among cybercriminals due to its ever-evolving obfuscation techniques and its easy-to-use control panel.

Control Panel

One of the main parts of any exploit kit is a user-friendly and elegant-looking control panel. The screen shot below shows the Blackhole's control panel. Note: This is a general screenshot of Blackhole's control panel, and not one specific to this attack.

Figure 3: Blackhole exploit kit control panel

The Blackhole exploit kit control panel contains extensive information regarding the attack, including: statistics of infected systems, breakdown by countries, browsers, operating system and vulnerabilities.

According to the statistics presented in the screenshot, which are common in most exploit kit attacks, Blackhole exploited some browser (Internet Explorer) vulnerabilities along with vulnerabilities in applications such as Adobe Acrobat Reader and the Java Runtime Environment.


Figure 4: Thread panel allows administrators to execute multiple attacks on one instance

Using the threat panel, the Blackhole exploit kit allows the administrator to build multiple simultaneous attack programs. For example, the panel above shows one virus targeting PCs in the U.K., while another targets PCs in the U.S. Moreover, the threat panel is also being used as an affiliate program, where the administrator configures threats for users who don't buy the exploit kit but also wish to spread malware.

Figure 5: The virus detection function of Blackhole control panel

Blackhole exploit kit has implemented an option to check the detection of new malware using underground anti-virus file scanners such as and, similar to the Siberia exploit kit. The administrator can check every several hours to determine whether anti-virus vendors detect its malware, and if so, replace it with a new variant.[1]

In the next blog in this series we will show how the cyber gang control the bots before they get into action. We will discuss the advantages and the capabilities of the bot controller that was used in this cyber-attack.

[1] For more information about the Blackhole exploit kit, please see the M86 Security (now part of Trustwave) 2H 2011 Threat Report.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More