Evolution of the CookieBomb toolkit

An ongoing, large-scale injection campaign has been raging for the
last 6 months. This campaign utilises a toolkit, dubbed CookieBomb (due
to its signature use of cookies), which is fascinating not only in its
apathy toward a particular platform, but also the code used in the
injections, and way in which it has evolved to escape and evade
traditional AV platforms and structures. This blog will:

  • describe the evolution of not only the raw code involved in these
    attacks, but also the delivery mechanisms with which users are lured to
    infected, or outright malicious, pages
  • implicitly highlight the interaction between, and quid pro quo nature of, major threat-actors within the malware ecosphere
  • describe the use of session Cookies and the etymology of the toolkit name: CookieBomb
  • outline the use of CookieBomb to drive traffic toward EK infrastructure, directly or via TDS systems
  • cover the migration from  BHEK to competing EKs in light of the BHEK author’s arrest
  • detail the point at which the campaign forked into two distinct entities

…(read more)