Researchers have tracked a spike in infections of the BlackShades remote administration tool targeting users' login credentials.
An integral member of the BlackShades gang was reportedly arrested last year but infections in the US have climbed from around 1000 to more than 1600 from July to November 1, security firm Symantec found.
Infections in the hundreds have also been detected on a country-by-country basis in the UK, the Netherlands, Singapore, India, Italy and other countries over the same time period.
Symantec security response engineer Santiago Cortes said attackers have spread the malware via the Neutrino exploit kit.
“During our research, we found that nearly all of the [command-and-control] servers have hosted exploit kits at some point, and until the arrest of the author of the BlackHole exploit kit and the Cool exploit kit, the latter has been the most prevalent,” Cortes said.
“These kits try to exploit different vulnerabilities in the user's computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.”
He later added that since the BlackHole and Cool exploit kits have “nearly disappeared,” that Neutrino was left as the “new kit of choice” for attackers leveraging BlackShades.
Last June, digital advocacy group Electronic Frontier Foundation revealed that BlackShades was being distributed via instant messages from hacked Skype accounts to spy on anti-regime activists in Syria via its surveillance capabilities, which included logging keystrokes and taking screenshots.
Now, researchers at Symantec have found that attackers' aims are likely to “infect as many computers as possible” with the RAT, Cortes wrote.
According to him, BlackShades targets a number of credentials, namely those used for email services, web services, file transfer protocol (FTP) clients and instant messaging applications.
“Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information,” Cortes said.