Royal Baby Lures to Blackhole Site

24 Jul 2013

minute read

Authors

Michael Molsner

Kaspersky Lab congratulates the royal couple on the birth of their new baby boy and wish them all well for the future. It is truly joyous news that is being celebrated in the UK and in the rest of the world.

However because it is such big news, it didn’t take long for malicious elements to misuse it as follows: “The Royal Baby: Live updates” promises an email arriving at our spam traps today. A link named “Watch the hospital-cam” is the contained trap which leads to … nowhere because it seems that it has already been cleaned. By the looks of it, it may be a compromised legitimate website which got cleaned.

But we are still interested in what the malicious content could be and we didn’t need to search for long. Exactly _one_ hit for our web search was shown at the time of writing this article.

What we find there is basically the same textual content as we had seen in the email but there is one difference: the contained link to the “hospital-cam” is currently still alive. It contains three links with *.js naming on yet another set of hosts.

Checking these, we finally see what it is all about, namely a “Blackhole Exploit Kit” serving URL – a drive-by approach to infect unprotected users “on the fly”.

Kaspersky Lab products detect this threat as “Trojan-Downloader.JS.Expack.aiy”.

Authors

Michael Molsner

Royal Baby Lures to Blackhole Site

Latest Posts

Latest Webinars

Reports

Kaspersky analyzes SideWinder APT’s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques.

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Kaspersky has identified a new EastWind campaign targeting Russian organizations and using CloudSorcerer as well as APT31 and APT27 tools.

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Royal Baby Lures to Blackhole Site

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

TGIF(P) – Thank god it’s fried phish

AVAR 2014 – Australia

CeCOS VIII – Hong Kong

SyScan 2014

CODE BLUE in Tokyo

When spear phishing met mass phishing

Bypassing 2FA with phishing and OTP bots

Message board scams

QR codes in email phishing

Phishing with hacked sites

Latest Posts

Ymir: new stealthy ransomware in the wild

QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns

New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency

Loose-lipped neural networks and lazy scammers

Latest Webinars

Inside the Dark Web: exploring the human side of cybercriminals

The Cybersecurity Buyer’s Dilemma: Hype vs (True) Expertise

Cybersecurity’s human factor – more than an unpatched vulnerability

Building and prioritizing detection engineering backlogs with MITRE ATT&CK

Reports

Beyond the Surface: the evolution and expansion of the SideWinder APT group

BlindEagle flying high in Latin America

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

APT trends report Q2 2024

Subscribe to our weekly e-mails