Trojan:JS/BlacoleRef

Installation

Your antivirus software might detect BlacoleRef when you visit a compromised or malicious webpage. A compromised webpage is one in which a hacker has inserted malicious JavaScript code without the webpage owner's knowledge.

When you visit the webpage, the JavaScript code - detected as BlacoleRef - is run.

This webpage might be from a site that was safe, but has been hacked, or it might be a webpage or HTML file included in an email. When you open the file, BlacoleRef runs.

This type of attack is known as social engineering, where the hacker tries to get you to visit a webpage or open an email attachment because you think it is something important.

We have seen BlacoleRef use emails that pretend to be about airline tickets, contracts, invoices, bank statements, social network notifications (such as updates from Facebook or Twitter), tax refunds (often pretending to be from your country's government, such as the IRS in the US and the ATO in Australia), and updates from shipping companies, such as UPS or FedEx.

For example, for the detection Trojan:JS/BlacoleRef.W, have seen it distributed in emails with the subject "Re: Wire Transfer Confirmation":

When you open the attachment, you might see a message in your web browser that asks you to "wait" or tells you an error has occurred.

We've also seen this same variant pretend to a UPS tracking notification:

Payload

Exploits vulnerable webpages

The BlacoleRef family is designed to load a hidden IFrame that contacts a malicious page which is stored on a web server. This page determines information about your browser, such as what browser it is (for example, Internet Explorer or Firefox), what version it is, and what plug-ins or extensions you have installed.

The page then redirects the hidden IFrame to another page (or multiple pages) that specifically uses or "exploits" only those vulnerabilities that your browser is susceptible to. These vulnerabilities are then used to download malware onto your PC.

In this way, BlacoleRef forms part of a larger process, all of which is designed to have the greatest success of infecting your PC with malware.

Additional information

This threat's payload might vary, depending on what the server is distributing at any one time.

A common payload is to download additional malware onto your PC, such as trojans and viruses. It could also download malware that then downloads or drops other malware (these are known as trojan downloaders and droppers) or malware that allows remote hackers to gain access and control to your PC (these are known as backdoor trojans).

Further reading

Get gamed and rue the day...

Analysis by Methusela Cebrian Ferrer