As predicted, since his arrest in early October, the two kits - of which Blackhole was the most used one - stopped receiving updates and the exploits they wielded got stale, making the kits a way less effective tools than before.
Cyber crooks aiming to continue to distribute malware had to find a new way, and that turned out to be the Upatre downloader Trojan.
“We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying Upatre (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest,” Trend Micro researchers have shared. “In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest.”
The Upatre downloader is usually delivered as a malware attachment in spam emails. It has only one goal and does it well: it downloads and executes a file from a compromised web server, and then exits. It used to be that it would download mostly Zeus variants, but now Cryptolocker is usually delivered instead.
“The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware,” the researchers pointed out. “It also highlights, somewhat perversely, how resilient cybercrime can be: the response to Paunch’s departure was remarkably quick and may have ended up affecting more people than they had before.”