Threat Lab

While the authors/support teams of some of the market leading Web malware exploitation kits are competing on their way to be the first kit to introduce a new exploit on a mass scale, others, largely influenced by the re-emergence of the DIY (do-it-yourself) trend across the cybercrime ecosystem, continue relying on good old fashioned social engineering attacks.

In this post, I’ll profile a beneath-the-radar type of DIY Java-based botnet building tool, which is served through the usual unsigned, yet malicious Java applet.

More details: read more…

By Dancho Danchev

On a daily basis we process multiple malicious campaigns that, in 95%+ of cases, rely on the market leading Black Hole Exploit Kit. The fact that this Web malware exploitation kit is the kit of choice for the majority of cybercriminals, speaks for its key differentiation factors/infection rate success compared to the competing exploit kits, like, for instance, the Sweet Orange exploit kit or the Nuclear Exploit pack v2.0.

In this post I’ll profile the EgyPack, a Web malware exploitation kit that was originally advertised on invite-only/vetted cybercrime friendly communities between the period of 2009-2011. List its core features, provide exclusive screenshots of its administration panel, and discuss why its business model failed to scale, leading to its virtually non-existent market share.

More details:

read more…

In times when we’re witnessing the most prolific and systematic abuse of the Internet for fraudulent and purely malicious activities, there are still people who cannot fully grasp the essence of the cybercrime ecosystem in the context of the big picture — economic terrosm — and in fact often deny its existence, describing it as anything else but an underdeveloped sellers/buyers market.

That’s totally wrong.

In this post, I’ll discuss the cybercrime ecosystem events that eventually led to the leakage of a private DIY botnet building and managing platform – with the idea to raise more awareness on the dynamics taking place within the vibrant ecosystem.

More details: read more…

A couple of days ago our sensors picked up two separate malicious email campaigns, both impersonating Data Processing Services, that upon successful client-side exploitation (courtesy of the Black Hole Exploit Kit), drops an identical piece of malicious software.

Let’s dissect the campaigns, expose the malicious domains portfolio, connect them to previously profiled malicious campaigns, and analyze the behavior of the dropped malware.

More details:

read more…

Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC.

More details:

read more…

Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Risk-forwarding is an inseparable part of the cybercrime ecosystem.

Whether it’s the use of malware-infected hosts as stepping-stones, the issuing of License Agreements for your latest rootkit release stating that it’s meant to be tested against the customer’s own systems — you wish — or the selling of cheap access to verified PayPal accounts, in an attempt to mitigate the “cash-out” risk by forwarding it to a more experienced cybercriminal, the process of risk-forwarding is visible across the entire ecosystem.

In this post I’ll discuss a recently spotted Wetern Union based money mule management script. While the cybercriminals are currently developing this script, it is evidence of a cybercrime ecosystem trend focusing on the efficiency-centered standardization mentality of sophisticated cybercriminals.

More details: read more…

By Dancho Danchev

Cybercriminals are currently mass mailing tens of thousands malicious ‘CNN Breaking News’ themed emails, in an attempt to trick users into clicking on the exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

By Dancho Danchev

On the majority of occasions, cybercriminals will take basic OPSEC (Operational Security) precautions when using the Internet, in an attempt to make it harder for law enforcement to keep track of their fraudulent activities. Over the years, these techniques have greatly evolved to include hybrid online anonymity solutions offered exclusively to cybercriminals internationally.

In this post, I’ll profile a cybercrime-friendly service that’s been offering hacked PCs to be converted into “anonymization stepping-stones” since 2004.

More details: read more…

By Dancho Danchev

Utilizing basic site ‘stickiness’ and visitor retention practices, over the years, cybercrime-friendly communities have been vigorously competing to attract, satisfy, and retain their visitors. From exclusive services available only to community members, to DIY cybercrime-friendly tools, the practice is still a common way for the community administrators to boost the underground reputation of their forum.

However, there are certain communities that will use the underground reputation of their forum to boost their sales, by releasing private DIY cybercrime-friendly tools, and promoting them under the umbrella of the community brand.

In this post, I’ll profile a HTTP/SMTP-based keylogger that’s been commercially available to members of a cybercrime-friendly community since 2011.

More details:

read more…

By Dancho Danchev

A currently ongoing malicious email campaign is impersonating ADP in an attempt to trick its customers into thinking that they’ve received a ‘Package Delivery Notification.’ In reality though, once a user clicks on any of the links found in the malicious email, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…

Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

read more…