Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the infamous Blackhole exploit kit.
The initial infection arrives as spam mail that contains a redirection URL in the following format:
Figure 1: Spam email.
Figure 2: Spam URL.
Figure 3: Blackhole landing page redirector.
The second-level URL shows us the actual landing page of the Blackhole exploit kit, which leads us to this content:
Figure 4: Customized encoded Blackhole landing page.
Figure 5: Decoded Blackhole landing page (PluginDetect.js with malicious URL).
The following browser plug-ins are known to be targeted by the exploit kit:
- Java Runtime Environment
- Adobe PDF Reader
McAfee coverage for the PluginDetect.js zero-day threat is JS/Exploit!JNLP.d.
The following images show the PDF and Java downloading a malicious URL:
Figure 6: JAR file downloading the URL in PluginDetect.js.
Figure 7: PDF file downloading the URL in PluginDetect.js.
This chain redirection could leave victims infected with one of these malware families:
For more detail about the Blackhole exploit kit, please refer the McAfee Threat Advisory Library.
Thanks to my colleague Rohan Shah for his assistance with this blog.