Thursday, January 27, 2022

BlackHole being used to target businesses

Hackers launched an attack effort earlier this week in which they sent out a mass of emails purposing to come from the financial software developer Intuit.

The emails carried links that led to sites hosting the Blackhole exploit kit in an obvious attempt to infect the machines of corporate users.

In a Webroot analysis, Dancho Danchev explains that the two individual campaigns copied Intuit Payroll’s direct deposit system in hopes that their receivers would follow malevolent links enclosed in the emails and thus infect themselves with the latest version of the Black Hole Exploit kit.

The exploit is serving an Adobe vulnerability from two years ago, CVE-2010-0188. A successful exploitation will load ‘MD5: 5723f92abf257101be20100e5de1cf6f’ and ‘MD5: 06c6544f554ea892e86b6c2cb6a1700c’ to its host.

The various malicious domains used in the campaign responded to the same set of IP addresses. You can find a list of the malicious URLs in Danchev’s write-up.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Exploit Kit activity on a steep decline since April

As malware writers are moving to Neutrino and RIG exploit kits (EK) for dispersal needs, security experts …