Magnitude exploit kit changes tack to make money from CryptoWall ransomware

But does Blackhole demise signal end of exploit kit era?

The Russian Magnitude malware exploit kit has moved on to the territory vacated by the defunct Blackhole Exploit Kit after successfully developing a new and highly profitable business model, according to security firm Trustwave.

The firm's figures show that Magnitude (aka PopAds) now holds a 31 percent market share, not quite the vast and commanding share that Blackhole once enjoyed but good enough to mark it out as the leading automated malware platform for now.

Crimeware kits - better thought of as software platforms - matter for criminals because they offer a robotic way for gangs to start, manage and reap the profits of malware attacks without having to do the programming themselves. Crimeware platforms will even deploy exploits against software vulnerabilities, including zero days, and can be upgraded over time was new ones become available.

For the last three years or so the business model of these platforms has been akin to software-as-a-service, with the platform rented out on a commercial basis. Recently, however, Magnitude's developers seem to have tried a new model based on taking a pre-agreed percentage of between 5 and 30 percent of the victim traffic grabbed by each campaign.

As Trustwave agrees, this doesn't sound like a good deal, and in the past it wouldn't have been. What seems to have changed this is a combination of the considerable profits on tap from a single type of malware, ransomware, and the untraceable nature of the Bitcoin currency.

The firm said it had found $60,000 (£35,000) in the digital wallet of one cybercriminal wielding the CryptoWall ransom Trojan, a finding that chimes with that of another security firm, PhishMe, which recently discovered a separate wallet that had raided over $700,000-worth of Bitcoins from the same malware.

Clearly, the profits on offer from ransom malware are just too large and easy to rent out cheaply.

To offer some idea of how many individual systems are being hit by Magnitude-directed attacks, TrustWave discovered that the one-month total recently reached 210,000 out of a possible 1.1 million attacks attempted, including 32,000 infections in the US alone.

As well as the US, many other successful attacks were recorded against PCs in Ireland, Vietnam, Argentina, and India.

The analysis does at least offer some interesting clues that Magnitude's developers are growing wary of police intervention, noting that it no longer accepted traffic from a range of mostly central Asian and African countries that turned out to have extradition arrangements with the authors' home country, Russia.

The fact that the once mighty Blackhole Exploit Kit was destroyed almost overnight last December after its alleged creator Paunch was arrested in Russia probably also explains the desire to be more careful. Paunch serves as a warning that the golden age of effortless, risk-free malware systems is now probably over.

A separate Cisco report confirms the waning of exploit kits in general with overall traffic from this type of platform dropping massively after Blackhole's demise. Paunch was just too big, too greedy and too successful. Perhaps the makers of Magnitude can avoid his fate by treading more carefully.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techtrustwavesecurity

More about Trustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place