Connect with us

Hi, what are you looking for?



Report: BlackHole Attacks Dominate Q3, Cridex Takes Banking Trojan Title

Banking Trojans offered up via the BlackHole exploit kit created pages dominated the malware scene over the third quarter, according to a new threat report from managed security services firm Solutionary.

Banking Trojans offered up via the BlackHole exploit kit created pages dominated the malware scene over the third quarter, according to a new threat report from managed security services firm Solutionary.

A majority of the malware are mass distributed through phishing emails masquerading as coming from trusted brands or from plain spam, Solutionary said in its first quarterly research report, covering the third quarter of 2012, released Thursday. The original plan was to present an analysis of all the analyzed malware samples, but the Security Engineering Research Team at Solutionary decided to narrow the focus on to the BlackHole exploit kit and payload after realizing how BlackHole attacks dominated the quarter, Solutionary said.

Email remained the most common way to deliver banking Trojans, Solutionary said in its report, and malicious pages built using the BlackHole exploit toolkit proliferated during the quarter. Recent Solutionary analysis suggests BlackHole represents 67 percent of all exploit kit attacks, making it the most popular kit among cyber-criminals.

Cridex Overtakes Zeus“The malware types identified in our report impact enterprises, SMBs, government agencies and consumers,” said Rob Kraus, director of SERT.

While several large financial institutions were hit by a wave of distributed denial of service attacks at the end of September, most small-to-midsized financial institutions battled a BlackHole campaign that used DDoS attacks as a diversionary tactic.

Large financial institutions, including Bank of America, Wells Fargo, PNC Bank, and JPMorgan Chase, experienced high traffic volumes and intermittent outages within a few days of each other over a two week period. While these highly disruptive attacks don’t appear to have resulted in financial fraud or theft, the group responsible or the motivations are still unclear.

Solutionary referred to the warnings from the Federal Bureau of Investigation (FBI) and the Internet Crime Complaint Center in September in its analysis of the BlackHole operation against smaller financial organizations. In these attacks, banking personnel were targeted with spam containing malicious links directing victims to BlackHole-enabled Websites. When the users clicked on the link, they were infected with banking Trojans, usually ZeuS or Cridex, according to Solutionary. What made this campaign different from any other fraudulent wire transfer operation was the fact that many of the victims were also hit with DDoS attacks.

The fraudulent wire transfers were preceded, or followed-up by, DDoS attacks to cover up the fraudulent activity being conducted, Solutionary said in its report. In some cases, the attacks were launched with the DirtJumper botnet.

Advertisement. Scroll to continue reading.

“Cybercriminals constantly evolve malware and attack techniques to evade security and gain the most profit from their targets,” said Kraus.

Solutionary found that 92 percent of malware samples analyzed by SERT over the last quarter were mass-distributed malware. Of the malware, the majority were banking Trojans, including ZeuS, Gameover, and Cridex. In fact, the report found that of the sample analyzed over the quarter, 91 percent of the banking Trojans actually belonged to the Cridex family.

Cridex copies itself to the victim’s system and attempts to inject itself into several processes that are running at the time. Like ZeuS, Cridex has a configuration file which lists HTML pages and Websites it can inject code into. Cridex is not just after banking information, as it can harvest user credentials for social media sites and monitor and manipulate cookies. The harvested data is saved to a file and sent back to a command-and-control server.

“Only 54 percent of those samples were detect by common anti-virus software at the time of analysis,” Solutionary said in its report, noting that the variants were relying on obfuscated code to avoid detection.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...