As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Network have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

Server-side polymorphic technology has been applied to evade traditional AV detection. 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:

Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'

Websense technologies can protect customers in a multi-stage attack:

• Websense email security blocks the malicious email.
• Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
• Vunlerability files and the payload trojan are detected by Websense Gateway products.
• Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).

The Websense® ThreatSeeker® Network has detected a spam campaign that tries to exploit recipients' interest in the current presidential campaign in the US.  Specifically, we have detected thousands of emails with this kind of content:

As noted recently, we are seeing an increasing number of spam campaigns with malicious links that lead to BlackHole exploit pages. This is also what happens with this campaign. If the recipient clicks on one of the links in the email, it starts a redirection flow which leads to URLs that host BlackHole exploit code. We simulated the recipient's experience with the support of the Fiddler tool, as shown below:

The pattern used strongly resembles the pattern used in other malicious, BlackHole-based spam campaigns, so we decided to investigate using a little set of samples from this campaign. The samples were chosen based on thousands of emails.

The links found in the spam emails usually has this kind of content:

The purpose of this flow as usual is to install a malicious files. In this malicious SPAM campaign, we noticed low detected PDF, JAR and EXE files (used to compromise the victim systems). During our simulated user exeperience we have found the following involved files:


PDF - MD5: 69e51d3794250e3f1478404a72c7a309 

JAR file - MD5: 03373056bb050c65c41196d3f2d68077

about.exe - MD5: 9223b428b28c7b8033edbb588968eaea 


More information on the behavior and activities of about.exe can be found in our Websense ThreatScope™ report:
http://aceinsight.websense.com/fileanalysisreport.aspx?rid=CD22C58FDA3E49FBBF1D41BD575ACAD3

Each URL shown above contains a redirection payload that leads the victim to a malicious website that hosts BlackHole exploit kit 2.0 obfuscated code. So far, we have detected thousands of emails blocked by our Cloud Email Security technology:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). 

Since Blackhole Exploit Kit 2.0 was recently introduced, we wanted to give our readers a few examples of how they might get exposed to this threat through email.

Websense® ThreatSeeker® Network has recently intercepted a few malicious email campaigns that try to lure the victims to Web pages that host this popular exploit kit. Some of the themes were new to us and some familiar.

One posed as voice mail notifications from Microsoft Exchange servers, another mimicked ADP invoice reminders, and a third thanked the recipient for signing up for a premium service of accountingWEB.com. Like other malicious social engineering campaigns, these email campaigns try to lure victims to click links that ultimately lead to pages hosting Blackhole Exploit Kit. A lot of the email messages pretend to come from trusted sources (well-known establishments, or the victim's own infrastructure), and try to catch the reader off-guard by focusing their attention on something urgent, like money matters.

Websense customers are protected from these threats by ACE™, our Advanced Classification Engine.

The malicious emails contain links that redirect to Blackhole pages with new obfuscation, but we don't think these are Blackhole 2.0. We suspect it won't be long, though, until we come across similar campaigns that use the new version.

ADP is one the largest names in payroll services, so it's no surprise that a spoofed ADP notification email is used as a lure.

Here's an example marked as high priority, with the subject line "ADP Invoice Reminder":

Let's follow one of the possible redirection paths:

hxxp://allbarswireless.com/HXwcDdQ/index.html
hxxp://ash-polynesie.com/AjVSXvus/js.js
hxxp://108.60.141.7/tfvsfios6kebvras.php?r=dwtd6xxjpq8tkatb
hxxp://108.60.141.7/links/differently-trace.php

Please refer to our previous blog post to learn more about the landing page.

Here's a different lure - emails pretending to come from the victim's Exchange server, telling them that they have new voice mail. The text invites the reader to click the link: "Double click on the link to listen the message."

 Subject lines include "Voice Mail from NNN-NNN-NNNN (NN seconds)":

The redirection chain here is similar:

hxxp://www.tryakbar.com/tLbM3r/index.html
hxxp://sportmania.so/JP3q2538/js.js
hxxp://173.255.221.74/tfvsfios6kebvras.php?r=rs3mwhukafbiamcm

The landing page shows similar content to the previous example. See here.

Another scheme thanks the user for signing up for a premium service.

Subject lines include "Thank you for activating paid services":

Different redirection chain, but the landing page hosts Blackhole, with a very familiar path:

hxxp://www.svstk.ru/templates/beez/check.php
hxxp://bode-sales.net/main.php?page=3c23940fb7350489

And finally, the familiar theme of FDIC notifications claiming your wire transfer ability was suspended.

Subject lines include "You need a new security version," "Suspended transactions," and "Urgent! You must install a new security version!"

Here again, simple redirection leads to typical "/main.php?page=" type URLs.

hxxp://kahvikuppi.org/achsec.html
hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7

Note that as part of the update to Blackhole 2.0, we are much more likely to see URLs like those used in the first two examples, rather than the latter two, due to the dynamic URL generation capability.

Following our recent blog posts regarding the propagation of Java vulnerability CVE-2012-4681 (New Java 0-day used in small number of attacks) and its subsequent inclusion in the infamous Blackhole Exploit Kit (New Java 0-day added to Blackhole Exploit Kit),  the Websense® ThreatSeeker® Network has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit.

If successful, this exploit could allow the cyber-criminals behind this campaign to deliver further malicious payloads to the victim’s machine which, for example, could lead to the exfiltration of personal and financial data.

Oracle have released an out-of-band patch for this Java vulnerability (Oracle release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.

On 1^st September, Websense® ThreatSeeker® Network intercepted over 10,000 malicious emails with the subject ‘You Order With Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:   

Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4 . The Payload view below highlights the Java Archive ‘Leh.jar’ which is then used to exploit CVE-2012-4681 should the victim’s machine be vulnerable, an analysis of this file can also be found on VirusTotal.

The obfuscated JavaScript above (de-obfuscated version below) attempts to profile the visiting machine, such as determining the browser type and version as well as the Adobe Flash, Adobe Reader and Java versions, and then based on this information selects the ‘best’ exploit to use against this particular victim.   

This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users.

Earlier today we blogged about a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. That's about to change as exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole.

Here's a snippet of the updated Blackhole code:

The Pre.jar file (VirusTotal link) will use the new vulnerability to install the malware (VirusTotal link) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report. Websense customers using our Advanced Classification Engine (ACE) were proactively protected against the updated Blackhole kit by our real-time analytics.

Technically the new vulnerability is actually two separate vulnerabilities. A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post.

Websense® ThreatSeeker® Network detected a massive phishing campaign targeting AT&T customers. More than 200,000 fake emails are masquerading as billing information from the giant American communication services provider. Each message claims that there is a bill of a few hundreds US dollars. 

In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message. Websense Security Labs highly recommends that you not click links in emails. Instead, manually type the legitimate domain name into your favorite browser and access the website that way.

Clicking on the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal. 

ThreatScope analysis, part of our CSI service, shows that the malware is part of the Cridex family. It drops files into the Application Data and Temp folders, and then injects code into other processes running on the computer, for example Internet Explorer and Adobe Reader. After this, it accesses a Bot network where the attacker can instruct the malware to take further actions. You can see the full report in our AceInsight portal.

Websense customers are protected by our Advanced Classification Engine (ACE).

Special thanks to: Mary Grace Timcang, Elad Sharf and Patrik Runald

In early July, an update has been issued to the Blackhole exploit kit targeting Java vulnerability CVE-2012-1723. The vulnerability could evade the JRE (Java Runtime Environment) sandbox and load additional Java classes in order to perform malicious actions. Details about the vulnerability are here. A lot of the websites used with this attack, at the moment, that are detected by the Websense® ThreatSeeker® Network are newly registered websites.

Websense customers are protected from this threat with our Advanced Classification Engine - ACE that employs multiple methods to detect exploit kits generically and specifically in real time.

Looking at the past three years, the Java platform has been one of the most popular one targeted by attackers. Java was designed to be portable, meaning it works on virtually all computer operating systems like Windows, Mac, and Linux. We still remember the Mac OS malware Flashback that infected over 600,000 Apple computers worldwide in April 2012 using Java vulnerability CVE-2012-0507. Even now, we still see a lot of exploit kits that use CVE-2012-0507. Here are the Java platform vulnerabilities used in the wild since 2010:

• CVE-2010-0094
• CVE-2010-0094
• CVE-2010-0840
• CVE-2010-0842
• CVE-2010-0844
• CVE-2010-3552
• CVE-2010-0886
• CVE-2010-4452
• CVE-2011-3521
• CVE-2011-3554
• CVE-2012-0507
• CVE-2012-1723

Although Oracle released a patch in June for the latest vulnerability, cyber criminals are targeting machines that have not yet updated their platforms. We recommend to update the Java platform, if you have one installed, as soon as possible. Also, consider disabling the Java Plugin in your Web browser to reduce the risk if you are not using it a lot.

The Websense® ThreatSeeker® Network has detected that the official website of GoPro (at gopro.com), the popular brand for "wearable" cameras, has been compromised and injected with malicious code.  We have contacted GoPro and let them know about the compromise but to date, we have not heard back from them.

Update: gopro.com and all the other GoPro affected websites we mentioned in this post are now clean from this injection and no longer serve this malicious content.

Websense customers are protected from this threat with ACE our Advanced Classification Engine.

The injected code is resident in multiple locations on the main page. This injection is part of mass injection that is known to us and that is doing its rounds over the web at the moment (see image 2 marked in red). Our ThreatSeeker network also spotted that hosts of localized versions of GoPro.com are injected with malicious code as well; for example the local website of GoPro France at fr.gopro.com. Other local versions include: 

de.gopro.com

es.gopro.com

fr.gopro.com

it.gopro.com

jp.gopro.com

pt.gopro.com

Image 1: The official Website of gopro.com - the main page

Image 2: The injected code marked with red on the official website of GoPro (at gopro.com)

Once a user visits gopro.com the injected code (marked in red) gets translated to an Iframe that leads the user automatically and without any interaction to a malicious redirector at ad.fourtytwo.proadvertise.net (see image 3 for full URL). The malicious redirector at ad.fourtytwo.proadvertise.net further redirects the user to an exploit Website loaded with the Blackhole exploit kit located at ad.banchoath.com. On the exploit website several exploits are sent to the user's browser and on successful exploitation the user's machine is infected with malware, at the time of the post that malware has ~9% antivirus detection rate, according to virustotal.com. The malicious file is an ad-clicker that generates large amounts of traffic to legitimate ad websites from a list of instructions it downloads from a designated server. The malicious file also launches the local browser from time to time to show advertisements. 

Image 3: The injected code translates to an Iframe that takes without user interaction the visitor to an exploit Website

Image 4: The exploit Website is loaded with the infamous Blackhole Exploit Kit

We shall update the blog with additional information as it comes to light.

The Websense® ThreatSeeker® Network has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains.

It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is that they are using "UA-XXXXX-X", a placeholder as their "Google Analytics account", obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more. The evil ga.js code is as below:

it is highly obfuscated, hard to understand, but after all tricks it finally will redirect to IP address 37.59.74.145 which hosts Black Hole Exploit.

 Websense customers are protected from these threats by ACE^TM, our Advanced Classification Engine.

About 6 months ago, a malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link. You know you shouldn't click this link, right?

The Websense® ThreatSeeker® Network has detected that the download URL link is actually a malicious URL.

As shown in the screenshot below, we can see that there is an iframe in its payload. This redirects the link to a malicious site that hosts a Blackhole exploit kit. Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded. Upon decoding the code, we can now see that the actual code searches for vulnerable software, and uses an appropriate exploit. Successful exploitation executes a shellcode that triggers the download and execution of malware.

The kit is currently widespread and popularly used by attackers. It offers users software-as-a-service (Saas) solution, where all they need to do is simply rent the kit. The domain registration, site configuration, and setup are handled by the author group.  Another really interesting aspect of this kit, that uniquely differentiates it from its competitors, is that it provides administration options for smart phones!  Users do not need to install any application; it is simply a Web-based interface optimized for smart phones.  Furthermore, there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live.

So far, the Websense® Triton® Hosted Security Message Center has detected more than 3,000 messages in this campaign.

Websense customers are protected against this attack with ACE, our Advanced Classification Engine.