As predicted, since his arrest in early October, the two kits - of which Blackhole was the most used one - stopped receiving updates and the exploits they wielded got stale, making the kits a way less effective tools than before.
Cyber crooks aiming to continue to distribute malware had to find a new way, and that turned out to be the Upatre downloader Trojan.
“We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying Upatre (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest,” Trend Micro researchers have shared. “In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest.”
The Upatre downloader is usually delivered as a malware attachment in spam emails. It has only one goal and does it well: it downloads and executes a file from a compromised web server, and then exits. It used to be that it would download mostly Zeus variants, but now Cryptolocker is usually delivered instead.
“The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware,” the researchers pointed out. “It also highlights, somewhat perversely, how resilient cybercrime can be: the response to Paunch’s departure was remarkably quick and may have ended up affecting more people than they had before.”
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.