Spam campaign uses Blackhole exploit kit to install SpyEye

This article was written in collaboration with my colleague Jean-Ian Boutin.

The Wigon botnet (also known as Cutwail) is being used in a massive spam campaign. A multitude of ruses are used to get the user to click on a link: fake LinkedIn or Facebook notifications, free Windows licenses, fake deliveries etc. The links are pointing to the Blackhole exploit kit which attempts to install malware on the computer via unpatched security flaws. The kit attempts to use the recently added exploit CVE-2011-3544 for Java. A lot of systems have not yet been patched for this vulnerability leaving them at risk of being compromised; screenshots of Blackhole panels published by french malware researchers Xylitol and Malekal show that this vulnerability account for over 80% of the succesful infections.

CVE-2011-3544 now exploited by Blackhole

The following screenshot shows a part of the decompiled code of the Java applet used by Blackhole which is exploiting the flaw.

JAR file exploiting CVE-2011-3544

One of the file dropped through this spam campaign is a SpyEye sample detected as Win32/Spy.SpyEye Trojan by ESET. This banking trojan was configured to steal banking information from clients of BAWAG PSK, the fourth largest bank in Austria. Once a computer is infected, the malware has the ability to change the webpages content seen by the user when visiting BAWAG eBanking services. The following screenshots show that the phishing warning as well as the bank contact information is removed from the login page by the malware .

Phishing warnings and contact information removed by SpyEye

Once the user logs in, his personal information is stored and sent to the C&C server. According to the SpyEye tracker, the C&C server used by this sample is still online and is hosted in Azerbaijan.

An obfuscated JavaScript is inserted in the eBanking webpage and is used to transfer money from the user account to the cybercriminal account. This script has also the ability to hide operations that were done on the user account by modifying the content of the account balance and transfer history. The following screenshot shows a code snippet used to modify the account balance in order to hide a transfer that has already occurred.

Finally, here is a screenshot showing the code used to send status information when a successful transfer occurs.

BAWAG PSK has been notified of this targeted attack. As always we advise our readers not to click links in spam or suspicious messages and to keep their installed software and antivirus up to date.

SpyEye sample MD5 Hash : 4c5698ea403be8300d26dbc6bb16f302

Author Sébastien Duquette, ESET

  • Pierre-Marc Bureau

    This blog describes facts as we have uncovered them by reverse engineering the Blackhole exploit kit and one of its payload, a SpyEye banking trojan.  We should note that it is highly unlikely that victims of this type of attack will have their bank accounts automatically emptied by cyber criminals. Banks typically have multiple defense mechanisms in place to protect their customers and  we have been assured that this is the case for BAWAG PSK bank. 

Follow us

Copyright © 2017 ESET, All Rights Reserved.