The Blackhole toolkit, like all exploit toolkits, is an easily configurable piece of software that is meant to deliver automated exploits against vulnerable websites. After a successful exploit, the kit then drops malicious payloads on the sites which are then intended to be passed on to victims who are directed to the exploited sites in a “drive-by” fashion. These toolkits make it extremely easy for those with mal-intent and minimal technical knowledge to plug in some basic information and click “Go” to infect thousands if not tens of thousands of websites at a time. Of the many malicious toolkits available on the underground market, Blackhole has certainly been the most prevalent, and has thereby received the most attention. That is until recently when we’ve seen a sudden stirring from a pack called RedKit.
The RedKit Exploit Kit isn’t a newcomer on the scene; in fact we’ve been seeing malware linked to this particular kit since early last year. It has gained a good amount of press recently for being responsible the NBC.com hack back in February, and most recently for malware campaigns pretending to be news stories about the Boston Marathon Bombings and the Explosion at the Texas fertilizer factory days after.
RedKit utilizes Java exploits as well as Adobe Reader exploits in order to get its way onto vulnerable websites. Once there it can leave any payload it wants, most often a banking Trojan that steals account credentials, passwords, browser histories, cookies, etc. from its victims. Exploit kits and their associated banking Trojans are responsible for millions upon millions of dollars of stolen money every year and are something to be avoided at all costs. In fact, I venture to say that the intent of 99.999% of malware active today is geared toward stealing your money. It’s important to stay protected.
Last month RedKit came in as #5 in our top ten web threats as seen by our SecureSurf Web Filtering Engine with nearly 20 thousand occurrences last month alone. SecureSurf is able to detect RedKit’s signature move, among other things, a hidden iframe that points its victims to a secondary landing page where the malicious payload resides. RedKit also utilizes a randomized four character .html or .htm document that it appends to the root folder of the exploited site. e.g. /hcwf.html,/ ocir.html, /hoiq.html, oxuu.html, etc.
If someone were to get to these pages they would likely see the infamous Java loading window as their machines were being taken over by the malware. Luckily enough though for our SecureSurf clients, all they would see is one of these -