Despite the 2012 arrest, and the fact that the Blackshades code was leaked in 2010, the tool is still being sold and used in cybercriminal activity, according to the Symantec Security Response team, which has noticed that the use of the RAT has increased over the last five months.
Blackshades will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. It targets a wide variety of credentials, too, including email services, web services, instant messaging applications and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information, Symantec noted.
“This increase in activity prompted us to investigate the main C&C servers that manage the latest infections,” wrote antiago Cortes, a researcher with Symantec, in a blog. “We identified hundreds of C&C servers being used to gather credentials from compromised computers.”
Also, once an unsuspecting user has been compromised, multiple payloads are downloaded and used to retain control via remote administration tools or downloaders that enable bad actors to install additional malware with new functionalities.
During the latest spike, Blackshades is being disseminated by the Cool Exploit malware kit – which is somewhat surprising. Exploit kits like Cool Exploit and Blackhole have led to a spectacular increase of attacks against web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. But after the arrest of Paunch, the author of both the Blackhole exploit kit and Cool Exploit, both have nearly disappeared, leaving Neutrino as the new kit of choice.
“During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point,” Cortes said. “These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.”
In the current Blackshades spike, Lithuania and the US host the highest amount of C&C servers, Symantec found. India is the most affected country, followed by the US and the UK, but countries all around the world have been affected.
“The distribution of the threats suggests that the attackers attempted to infect as many computers as possible; the attackers do not seem to have targeted specific people or companies,” Cortes said. “This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal.”
As always, web surfers should make sure that all software is up to date and that anti-virus solutions have the latest definitions.