Blackshades RAT is still popular among cybercriminals to the point where there has been an increase in its usage, all this despite the fact that police arrested who they feel was the developer, Michael Hogue.
The tool is still on the market and people are using it despite reports of its author’s arrest, and despite the fact its source code leaked back in 2010, Symantec said.
After investigating the command and control (C&C) servers used in the attacks, researchers found a link between Blackshades RAT (W32.Shadesrat) and the Cool Exploit Kit. Attackers use Cool to distribute W32.Shadesrat and other pieces of malware.
This happened until recently when Russian police said they arrested the exploit kit’s creator, Paunch. After BlackHole and Cool disappeared from the market, the Neutrino exploit kit took their place.
Most W32.Shadesrat infections have been in India, the United States, and the United Kingdom. The threat ends up stealing credentials for email services, FTP clients, instant messaging apps and Web services from infected devices.
Officials identified hundreds of C&C servers on which the stolen information ends up uploaded. Most of these servers host exploit kits at some point.
As far as the location of these servers, most of them are in Lithuania and the United States.
“The distribution of the threats suggests that the attackers attempted to infect as many computers as possible,” said Symantec’s Santiago Cortes noted in a blog post. “The attackers do not seem to have targeted specific people or companies.”
“This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal.”