Ever since police arrested the person they feel is responsible for Blackhole, there has been a significant reduction in spam campaigns using the exploit kit, creating a vacuum in the spam-sending world.
However, the Upatre exploit kit has become one of the preferred replacements for Blackhole, which had been a common tool of cybercrooks since 2010, said researchers at Trend Micro. Upatre is a significant vector for the spread of CryptoLocker.
“We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying Upatre (which ultimately leads to CryptoLocker) right around October,” Maria Manly, an anti-spam research engineer at Trend Micro said in a blog post. “In fact, we have monitored multiple IPs involved in the transition – [from] sending Blackhole Exploit Kit spam [to] sending CryptoLocker spam.”
“The Cutwail-Upatre-ZeuS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker,” she said.
The Cutwail botnet has the capability to send very high numbers of spam messages, a factor that might go a long way toward explaining the sudden recent upsurge in CryptoLocker activity.
CryptoLocker is an aggressive ransomware Trojan. It normally arrives in an email as an executable file disguised as a PDF file, packed into a zip attachment. If opened, the malware attempts to encrypt the user’s documents across both local and any mapped network hard drives. The malware uses an encryption key generated on a command-and-control server and sent to the infected computer. If successful, CryptoLocker will encrypt users’ files using asymmetric encryption, featuring a public and private key pair.
The owner then receives a ransom demand, payable within 72 hours, of around $300 or more.
The reaction to Blackhole’s removal from play “highlights, somewhat perversely, how resilient cybercrime can be,” Manly said.