Research & Intelligence

Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit

Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit

Shortly after reports that the developer of the Blackhole exploit kit was arrested, one of the groups leveraging the Cutwail spam botnet changed tactics, switching which exploit kit they use to distribute malware.

Cutwail has historically distributed the Gameover Zeus trojan through various themed spam campaigns (see Figure 1) in combination with malicious embedded links that led to the Blackhole exploit kit. Dell SecureWorks Counter Threat Unit™ (CTU™) security intelligence researchers have observed a shift by one of the groups using the Cutwail botnet from Blackhole to another exploit kit known in the security community as Magnitude (formerly known as Popads).

Example of spam lure distributed by the Cutwail botnet.
Figure 1. Example of spam lure distributed by the Cutwail botnet. (Source: Dell SecureWorks)

The spam email contains an embedded malicious link that opens a website and displays the message “We detected your browser is NOT up-to-date” (see Figure 2).

Example of fake website
Figure 2. Example of fake "update your browser" website. (Source: Dell SecureWorks)

This message is part of a social engineering ploy to convince users to download and run an executable. Instead of a browser update, the user unknowingly installs Gameover Zeus. At the same time, a malicious iFrame redirects the browser to the Magnitude exploit kit. CTU researchers observed Magnitude installing the ZeroAccess trojan if the victim’s system was vulnerable to any of the attempted vulnerabilities:

  • CVE-2011-3402
  • CVE-2012-0507
  • CVE-2013-2463
  • CVE-2013-2551

Figure 3 shows the network activity for the Magnitude exploit kit from the landing page, and the ZeroAccess geographic lookup using the Maxmind JavaScript API.

Request chain associated with Magnitude exploit kit.
Figure 3. Request chain associated with Magnitude exploit kit. (Source: Dell SecureWorks)

Cybercriminals quickly adjusted their operation to maintain continuity. Combining social engineering with ex ploit kits sets the stage for a successful campaign and maximizes the potential for infecting as many victims as possible.

CTU researchers recommend that customers use available controls to restrict access using the indicators in Table 1. The domains listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
hxxp://netderegalos.com/messag_id.html URL Link pointing to the exploit kit
hxxp://netderegalos.com/messag_id.html URL Link pointing to the exploit kit
hxxp://composite-namviet.com/messag_id.html URL Link pointing to the exploit kit
hxxp://sibcorona.com/messag_id.html URL Link pointing to the exploit kit
hxxp://papakarolalbum.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.076671179.com/messag_id.html URL Link pointing to the exploit kit
hxxp://pastrotarians.com/messag_id.html URL Link pointing to the exploit kit
hxxp://preordersite.com/messag_id.html URL Link pointing to the exploit kit
hxxp://bdparty24.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.kentinghome.com/messag_id.html URL Link pointing to the exploit kit
hxxp://gpllink.com/messag_id.html URL Link pointing to the exploit kit
hxxp://post41.com/messag_id.html URL Link pointing to the exploit kit
hxxp://abldg.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.thistledki.com/messag_id.html URL Link pointing to the exploit kit
hxxp://glavelectro.com/messag_id.html URL Link pointing to the exploit kit
hxxp://energy-linksllc.com/messag_id.html URL Link pointing to the exploit kit
hxxp://aquapaints.com/messag_id.html URL Link pointing to the exploit kit
hxxp://eintracht-mensengesaess.com/messag_id.html URL Link pointing to the exploit kit
hxxp://ozbaraklikasabasi.com/messag_id.html URL Link pointing to the exploit kit
hxxp://jeostatik.com/messag_id.html URL Link pointing to the exploit kit
hxxp://naranshigtgee.com/messag_id.html URL Link pointing to the exploit kit
hxxp://hasaysuenerji.com/messag_id.html URL Link pointing to the exploit kit
hxxp://hhozeainterios.com/messag_id.html URL Link pointing to the exploit kit
hxxp://matrixcl.com/messag_id.html URL Link pointing to the exploit kit
hxxp://electronelectronic.com/messag_id.html URL Link pointing to the exploit kit
hxxp://meganrosebill.com/messag_id.html URL Link pointing to the exploit kit
hxxp://coedsportsnet.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.lhm22.com/messag_id.html URL Link pointing to the exploit kit
hxxp://appleteknik.com/messag_id.html URL Link pointing to the exploit kit
hxxp://makeupstil.crystaldemon.com/messag_id.html URL Link pointing to the exploit kit
hxxp://nealclaimsconsulting.com/messag_id.html URL Link pointing to the exploit kit
hxxp://barlboroughspa.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.pentasbakat.com/messag_id.html URL Link pointing to the exploit kit
hxxp://vitalinegroup.com/messag_id.html URL Link pointing to the exploit kit
hxxp://property-maintenance-ltd.com/messag_id.html URL Link pointing to the exploit kit
hxxp://ffhkl.com/messag_id.html URL Link pointing to the exploit kit
hxxp://sztambuch.com/messag_id.html URL Link pointing to the exploit kit
hxxp://corps-professions-liberales.com/messag_id.html URL Link pointing to the exploit kit
hxxp://otodemirgil.com/messag_id.html URL Link pointing to the exploit kit
hxxp://lisarde.com/messag_id.html URL Link pointing to the exploit kit
hxxp://footballdesktop.com/messag_id.html URL Link pointing to the exploit kit
hxxp://attentiveinsurance.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.imaroci.com/messag_id.html URL Link pointing to the exploit kit
hxxp://atilanoseguros.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.ownersteak.com/messag_id.html URL Link pointing to the exploit kit
hxxp://canadapaperandlumber.com/messag_id.html URL Link pointing to the exploit kit
hxxp://dsahanddairy.com/messag_id.html URL Link pointing to the exploit kit
hxxp://jan-bd.com/messag_id.html URL Link pointing to the exploit kit
hxxp://mape.spidergim.com/messag_id.html URL Link pointing to the exploit kit
hxxp://facilities-management-ltd.com/messag_id.html URL Link pointing to the exploit kit
hxxp://mpcityhall.com/messag_id.html URL Link pointing to the exploit kit
hxxp://azaranmachine.com/messag_id.html URL Link pointing to the exploit kit
hxxp://lorenzobergamini.com/messag_id.html URL Link pointing to the exploit kit
hxxp://nicholsonremodeling.com/messag_id.html URL Link pointing to the exploit kit
hxxp://dovilio.com/messag_id.html URL Link pointing to the exploit kit
hxxp://motoravto.com/messag_id.html URL Link pointing to the exploit kit
hxxp://elizegiharategia.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.xianghone.com/messag_id.html URL Link pointing to the exploit kit
hxxp://mountainparkmall.com/messag_id.html URL Link pointing to the exploit kit
hxxp://disneyfashion-bd.com/messag_id.html URL Link pointing to the exploit kit
hxxp://ksico.com/messag_id.html URL Link pointing to the exploit kit
hxxp://excellenceinprocurement.yewbarrow.com/messag_id.html URL Link pointing to the exploit kit
hxxp://stal-stroy.com/messag_id.html URL Link pointing to the exploit kit
hxxp://jurvanelectronics.com/messag_id.html URL Link pointing to the exploit kit
hxxp://magasinmedical.com/messag_id.html URL Link pointing to the exploit kit
hxxp://everythingiceland.com/messag_id.html URL Link pointing to the exploit kit
hxxp://hotbeams.com/messag_id.html URL Link pointing to the exploit kit
hxxp://ski-sochi.com/messag_id.html URL Link pointing to the exploit kit
hxxp://russoffice.com/messag_id.html URL Link pointing to the exploit kit
hxxp://ultra-erection.com/messag_id.html URL Link pointing to the exploit kit
hxxp://irasakisushi.com/messag_id.html URL Link pointing to the exploit kit
hxxp://flowersperth.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.centromedicosanpaio.com/messag_id.html URL Link pointing to the exploit kit
hxxp://whooradio.com/messag_id.html URL Link pointing to the exploit kit
hxxp://fa.mojallalcatering.com/messag_id.html URL Link pointing to the exploit kit
hxxp://marihuana.spidergim.com/messag_id.html URL Link pointing to the exploit kit
hxxp://balbinoehijos.com/messag_id.html URL Link pointing to the exploit kit
hxxp://gobuygift.com/messag_id.html URL Link pointing to the exploit kit
hxxp://brookswags.com/messag_id.html URL Link pointing to the exploit kit
hxxp://aticoencarcaixent.com/messag_id.html URL Link pointing to the exploit kit
hxxp://stronawnet.com/messag_id.html URL Link pointing to the exploit kit
hxxp://libplppws.com/messag_id.html URL Link pointing to the exploit kit
hxxp://www.dungye.com/messag_id.html URL Link pointing to the exploit kit

Table 1. Indicators associated with these threats.



ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to all Blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Try Taegis Today

Request a demo to see how Taegis can reduce your risk, optimize your existing security investments, and fill your talent gaps.