Banking Malware Botnet Operators Switch To New Attack Kit


The cybercriminal organization that maintains a notorious botnet known for sending out millions of spam messages that spread banking malware and other threats has turned to a new automated attack toolkit to help bolster its campaigns.

The gang behind the Cutwail botnet has ditched the popular Blackhole exploit kit in favor of the Magnitude toolkit, according to security researchers at Dell SecureWorks. The move came just days after authorities arrested the alleged maintainer of Blackhole, swiftly ending support of the toolkit.

The arrest disrupted the toolkit's encryption mechanism, and security experts who have been monitoring the toolkit told CRN that Blackhole suddenly stopped receiving daily updates. The toolkit, which was sold to cybercriminals via a subscription model, had been receiving daily updates with subtle modifications and exploits to help it bypass antivirus and other signature-based security software.

[Related: Blackhole Author Arrested: 10 Facts About The Automated Attack Toolkit]

A Dell SecureWorks spokesperson told CRN that researchers believe the Web server service to the exploit toolkit's encrypted binary website likely has been disabled. Blackhole infections from the servers the Blackhole creator used to host leased operations of the toolkit declined. Dell SecureWorks researchers said cybercriminals who use the toolkit in conjunction with their own servers will continue to be able to infect systems, despite the disruption.

Dell SecureWorks Friday issued a new analysis of the impact of the arrest, showing the Cutwail botnet changing tactics. Victims were being redirected by the botnet to servers hosting the Magnitude exploit kit. The redirect formerly sent victims to Blackhole, Dell SecureWorks said.

"Cybercriminals quickly adjusted their operation to maintain continuity," Dell SecureWorks said. "Combining social engineering with exploit kits sets the stage for a successful campaign and maximizes the potential for infecting as many victims as possible."

Magnitude, formerly known as Popads, is among dozens of attack toolkits available for purchase on hacking forums. It is associated with the ZeroAccess Trojan, which is known to support Bitcoin-related attacks and click fraud, say security experts. Magnitude has been seen using Windows XP, Adobe Flash and Java exploits against victims.

The operators behind Cutwail have been extremely active in recent months, updating the botnet with new capabilities. Cutwail received a new communications mechanism in May, making it more resilient to take-downs. The update coincided with an increase in Zeus banking malware attacks.

PUBLISHED OCT. 21, 2013