A Fresh Example of a Blackhole Spam

June 14, 2012 - By Chris Larsen

My spam honeypots yesterday yielded a nice example of a spam attack being used to lure people to servers hosting the infamous Blackhole exploit kit, which we've blogged about several times in the last six months or so.

The spam arrived the evening before. Here's how it looked:

 

screenshot of malicious spam

 

Clicking on one of the links took me to a hacked site, with the following message:

screenshot of initial hacked-site relay

 

This, of course, is simple camouflage, to distract me while my browser is given further instructions. Under the hood, the HTML looks like this:

screenshot of inner HTML for the relay

 

I retrieved the first of the js.js files, which is extremely simple, just one line of script:

the one-line relay

 

This IP hosts the Blackhole kit, and had already been flagged as a malware source in our database by one of our analysts when I checked, along with a sibling site that I found via following a different link. (Good to know that the team is on task!)

 

--C.L.

@bc_malware_guy